-
Notifications
You must be signed in to change notification settings - Fork 139
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SameSite Cookie Attribute - Is attribute-value required? #389
Comments
Ah. https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00 draft is outdated vs. https://github.com/httpwg/http-extensions/edit/master/draft-ietf-httpbis-cookie-same-site.md. The latter no longer allows a bare "SameSite" token, and it calls for the cookie to be dropped in the event that the samesite-value isn't either "strict" or "lax". However, I think this text isn't quite right: If The |
There is currently a discrepancy in the spec regarding invalid values in the SameSite cookie attribute. For example, this cookie: Set-Cookie: foo=bar; SameSite=bogus is expected to be dropped entirely according to the "Server Requirements" under Section 4.1.2.7: If the "SameSite" attribute's value is neither of these [ "Lax", "Strict" ], the cookie will be ignored. whereas under Section 5.3.7 of "User Agent Requirements", the cookie is to be kept but the attribute is ignored: If cookie-av's attribute-value is not a case-insensitive match for "Strict" or "Lax", ignore the "cookie-av". Additionally, the end of Section 4.1.2 also matches the behavior described in Section 5.3.7: User agents ignore unrecognized cookie attributes (but not the entire cookie). From a forward-compatibility point of view, the behavior described in section 5.3.7 is the ideal one since it allows for future expansion of this feature such as: Set-Cookie: foo=bar; SameSite=medium
#574 is my proposal to fix this. We ran into this issue in the Firefox implementation: https://bugzilla.mozilla.org/show_bug.cgi?id=1430803 |
Clarify handling of invalid SameSite values (fixes #389)
https://bugs.chromium.org/p/chromium/issues/detail?id=635882
Section 3.1 of the spec states that "SameSite" alone (without an attribute value) is a valid token: https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00#section-3.1
Section 4.1 https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00#section-4.1 states
match for "Strict" or "Lax", ignore the "cookie-av".
The text was updated successfully, but these errors were encountered: