Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SameSite Cookie Attribute - Is attribute-value required? #389

Closed
ericlaw1979 opened this issue Sep 1, 2017 · 2 comments
Closed

SameSite Cookie Attribute - Is attribute-value required? #389

ericlaw1979 opened this issue Sep 1, 2017 · 2 comments
Labels
6265bis editorial

Comments

@ericlaw1979
Copy link

https://bugs.chromium.org/p/chromium/issues/detail?id=635882

Section 3.1 of the spec states that "SameSite" alone (without an attribute value) is a valid token: https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00#section-3.1

Section 4.1 https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00#section-4.1 states

  1. If "cookie-av"'s "attribute-value" is not a case-insensitive
    match for "Strict" or "Lax", ignore the "cookie-av".
@ericlaw1979
Copy link
Author

Ah. https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00 draft is outdated vs. https://github.com/httpwg/http-extensions/edit/master/draft-ietf-httpbis-cookie-same-site.md. The latter no longer allows a bare "SameSite" token, and it calls for the cookie to be dropped in the event that the samesite-value isn't either "strict" or "lax".

However, I think this text isn't quite right:

If cookie-av's attribute-value is not a case-insensitive match for
"Strict" or "Lax", ignore the cookie-av.

The cookie-av in this case is 'SameSite=whatever' and we want to ignore the whole cookie, not just the invalid attribute?

@mnot mnot added the 6265bis label Sep 29, 2017
@mnot mnot added the editorial label Dec 12, 2017
fmarier pushed a commit to fmarier/http-extensions that referenced this issue Apr 9, 2018
Clarify handling of invalid SameSite values (fixes httpwg#389)
8225204 
There is currently a discrepancy in the spec regarding invalid values
in the SameSite cookie attribute.

For example, this cookie:

  Set-Cookie: foo=bar; SameSite=bogus

is expected to be dropped entirely according to the "Server Requirements"
under Section 4.1.2.7:

  If the "SameSite" attribute's value is neither of these [ "Lax",
  "Strict" ], the cookie will be ignored.

whereas under Section 5.3.7 of "User Agent Requirements", the cookie
is to be kept but the attribute is ignored:

  If cookie-av's attribute-value is not a case-insensitive match for
  "Strict" or "Lax", ignore the "cookie-av".

Additionally, the end of Section 4.1.2 also matches the behavior
described in Section 5.3.7:

  User agents ignore unrecognized cookie attributes (but not the entire
  cookie).

From a forward-compatibility point of view, the behavior described in
section 5.3.7 is the ideal one since it allows for future expansion
of this feature such as:

  Set-Cookie: foo=bar; SameSite=medium
@fmarier
Copy link

fmarier commented Apr 9, 2018

#574 is my proposal to fix this.

We ran into this issue in the Firefox implementation: https://bugzilla.mozilla.org/show_bug.cgi?id=1430803

mikewest added a commit that referenced this issue Apr 11, 2018
@mikewest
Merge pull request #574 from fmarier/samesite-bogus-values-389
ebe8f8e 
Clarify handling of invalid SameSite values (fixes #389)
@bharat-rajani bharat-rajani mentioned this issue Apr 21, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
6265bis editorial
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mnot @fmarier @ericlaw1979