From 970826207892eeb689b2144af74906e8e8e97716 Mon Sep 17 00:00:00 2001 From: Mike Taylor Date: Wed, 2 Dec 2020 00:42:47 -0600 Subject: [PATCH] Require "Secure" for "SameSite=None". (#1323) * Treat cookies as "SameSite=Lax" by default. * Update non-normative language to mention default Lax-like enforcement. Also update the changelog. * Require "Secure" for "SameSite=None". * Update changelog for Secure-"SameSite=None" * Update draft-ietf-httpbis-rfc6265bis.md Co-authored-by: Mike West --- draft-ietf-httpbis-rfc6265bis.md | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/draft-ietf-httpbis-rfc6265bis.md b/draft-ietf-httpbis-rfc6265bis.md index 17083f09b..d9ae96849 100644 --- a/draft-ietf-httpbis-rfc6265bis.md +++ b/draft-ietf-httpbis-rfc6265bis.md @@ -1462,11 +1462,14 @@ user agent MUST process the cookie as follows: 4. Abort these steps and ignore the newly created cookie entirely. -16. If the cookie-name begins with a case-sensitive match for the string +16. If the cookie's "same-site-flag" is "None", abort these steps and ignore the + cookie entirely unless the cookie's secure-only-flag is true. + +17. If the cookie-name begins with a case-sensitive match for the string "__Secure-", abort these steps and ignore the cookie entirely unless the cookie's secure-only-flag is true. -17. If the cookie-name begins with a case-sensitive match for the string +18. If the cookie-name begins with a case-sensitive match for the string "__Host-", abort these steps and ignore the cookie entirely unless the cookie meets all the following criteria: @@ -1477,7 +1480,7 @@ user agent MUST process the cookie as follows: 3. The cookie-attribute-list contains an attribute with an attribute-name of "Path", and the cookie's path is `/`. -18. If the cookie store contains a cookie with the same name, domain, +19. If the cookie store contains a cookie with the same name, domain, host-only-flag, and path as the newly-created cookie: 1. Let old-cookie be the existing cookie with the same name, domain, @@ -1494,7 +1497,7 @@ user agent MUST process the cookie as follows: 4. Remove the old-cookie from the cookie store. -19. Insert the newly-created cookie into the cookie store. +20. Insert the newly-created cookie into the cookie store. A cookie is "expired" if the cookie has an expiry date in the past. @@ -2170,6 +2173,10 @@ The "Cookie Attribute Registry" will be updated with the registrations below: "SameSite=Lax": . +* Require a Secure attribute for "SameSite=None": + . + + # Acknowledgements {:numbered="false"} RFC 6265 was written by Adam Barth. This document is a minor update of