From 1379480573c88a3b1c17613f57341d783940a8b8 Mon Sep 17 00:00:00 2001 From: Mike Taylor Date: Wed, 14 Oct 2020 16:32:50 -0500 Subject: [PATCH 1/5] Treat cookies as "SameSite=Lax" by default. --- draft-ietf-httpbis-rfc6265bis.md | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/draft-ietf-httpbis-rfc6265bis.md b/draft-ietf-httpbis-rfc6265bis.md index f08db88bb..04afe8629 100644 --- a/draft-ietf-httpbis-rfc6265bis.md +++ b/draft-ietf-httpbis-rfc6265bis.md @@ -1254,15 +1254,18 @@ attribute-name of HttpOnly and an empty attribute-value. If the attribute-name case-insensitively matches the string "SameSite", the user agent MUST process the cookie-av as follows: -1. Let `enforcement` be "None". +1. Let `enforcement` be "Default". -2. If cookie-av's attribute-value is a case-insensitive match for "Strict", +2. If cookie-av's attribute-value is a case-insensitive match for "None", + set `enforcement` to "None". + +3. If cookie-av's attribute-value is a case-insensitive match for "Strict", set `enforcement` to "Strict". -3. If cookie-av's attribute-value is a case-insensitive match for "Lax", set +4. If cookie-av's attribute-value is a case-insensitive match for "Lax", set `enforcement` to "Lax". -4. Append an attribute to the cookie-attribute-list with an attribute-name +5. Append an attribute to the cookie-attribute-list with an attribute-name of "SameSite" and an attribute-value of `enforcement`. Note: This algorithm maps the "None" value, as well as any unknown value, to @@ -1432,10 +1435,10 @@ user agent MUST process the cookie as follows: not for a path of '/login' or '/login/en'. 14. If the cookie-attribute-list contains an attribute with an - attribute-name of "SameSite", set the cookie's same-site-flag to the - attribute-value of the last attribute in the cookie-attribute-list with an - attribute-name of "SameSite" (i.e. either "Strict", "Lax", or "None"). - Otherwise, set the cookie's same-site-flag to "None". + attribute-name of "SameSite", and an attribute-value of "Strict", "Lax", or + "None", set the cookie's same-site-flag to the attribute-value of the last + attribute in the cookie-attribute-list with an attribute-name of "SameSite". + Otherwise, set the cookie's same-site-flag to "Default". 15. If the cookie's `same-site-flag` is not "None": @@ -1577,7 +1580,7 @@ compute the cookie-string from a cookie store and a request-uri: cross-site (as defined in {{same-site-requests}}) then exclude the cookie unless all of the following statements hold: - 1. The same-site-flag is "Lax" + 1. The same-site-flag is "Lax" or "Default". 2. The HTTP request's method is "safe". From 0001e898e485dbba28198eda727b5f7e6c082979 Mon Sep 17 00:00:00 2001 From: Mike Taylor Date: Wed, 25 Nov 2020 12:04:03 -0600 Subject: [PATCH 2/5] Update non-normative language to mention default Lax-like enforcement. Also update the changelog. --- draft-ietf-httpbis-rfc6265bis.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/draft-ietf-httpbis-rfc6265bis.md b/draft-ietf-httpbis-rfc6265bis.md index 04afe8629..b380564d0 100644 --- a/draft-ietf-httpbis-rfc6265bis.md +++ b/draft-ietf-httpbis-rfc6265bis.md @@ -661,7 +661,7 @@ with same-site requests, and with "cross-site" top-level navigations, as described in {{strict-lax}}. If the value is "None", the cookie will be sent with same-site and cross-site requests. If the "SameSite" attribute's value is something other than these three known keywords, the attribute's value will be -treated as "None". +subject to a default enforcement mode that is equivalent to "Lax". The "SameSite" attribute affects cookie creation as well as delivery. Cookies which assert "SameSite=Lax" or "SameSite=Strict" cannot be set in responses to @@ -2167,6 +2167,10 @@ The "Cookie Attribute Registry" will be updated with the registrations below: created without parsing a cookie string: . +* Add a default enforcement value to the `same-site-flag`, equivalent to + "SameSite=Lax": + . + # Acknowledgements {:numbered="false"} RFC 6265 was written by Adam Barth. This document is a minor update of From ae49319838ec74fdc9c4f771039e1e2be7b38008 Mon Sep 17 00:00:00 2001 From: Mike Taylor Date: Wed, 14 Oct 2020 17:22:35 -0500 Subject: [PATCH 3/5] Require "Secure" for "SameSite=None". --- draft-ietf-httpbis-rfc6265bis.md | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/draft-ietf-httpbis-rfc6265bis.md b/draft-ietf-httpbis-rfc6265bis.md index b380564d0..8bf2c30df 100644 --- a/draft-ietf-httpbis-rfc6265bis.md +++ b/draft-ietf-httpbis-rfc6265bis.md @@ -1463,11 +1463,14 @@ user agent MUST process the cookie as follows: 4. Abort these steps and ignore the newly created cookie entirely. -16. If the cookie-name begins with a case-sensitive match for the string +16. If the cookie's "same-site-flag" is "None", abort these steps and ignore the + cookie entirely unless the cookie's secure-only-flag is true. + +17. If the cookie-name begins with a case-sensitive match for the string "__Secure-", abort these steps and ignore the cookie entirely unless the cookie's secure-only-flag is true. -17. If the cookie-name begins with a case-sensitive match for the string +18. If the cookie-name begins with a case-sensitive match for the string "__Host-", abort these steps and ignore the cookie entirely unless the cookie meets all the following criteria: @@ -1478,7 +1481,7 @@ user agent MUST process the cookie as follows: 3. The cookie-attribute-list contains an attribute with an attribute-name of "Path", and the cookie's path is `/`. -18. If the cookie store contains a cookie with the same name, domain, +19. If the cookie store contains a cookie with the same name, domain, host-only-flag, and path as the newly-created cookie: 1. Let old-cookie be the existing cookie with the same name, domain, @@ -1495,7 +1498,7 @@ user agent MUST process the cookie as follows: 4. Remove the old-cookie from the cookie store. -19. Insert the newly-created cookie into the cookie store. +20. Insert the newly-created cookie into the cookie store. A cookie is "expired" if the cookie has an expiry date in the past. From d241895a1dc4cf7d3686ca2e213a2c00565d2f04 Mon Sep 17 00:00:00 2001 From: Mike Taylor Date: Wed, 25 Nov 2020 14:03:12 -0600 Subject: [PATCH 4/5] Update changelog for Secure-"SameSite=None" --- draft-ietf-httpbis-rfc6265bis.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/draft-ietf-httpbis-rfc6265bis.md b/draft-ietf-httpbis-rfc6265bis.md index 8bf2c30df..5149de75f 100644 --- a/draft-ietf-httpbis-rfc6265bis.md +++ b/draft-ietf-httpbis-rfc6265bis.md @@ -2174,6 +2174,9 @@ The "Cookie Attribute Registry" will be updated with the registrations below: "SameSite=Lax": . +* Require a Secure attribute for "SameSite=None": + . + # Acknowledgements {:numbered="false"} RFC 6265 was written by Adam Barth. This document is a minor update of From 0924992f6dd6c51031b65a48020a3b92896b894f Mon Sep 17 00:00:00 2001 From: Mike West Date: Wed, 2 Dec 2020 07:40:32 +0100 Subject: [PATCH 5/5] Update draft-ietf-httpbis-rfc6265bis.md --- draft-ietf-httpbis-rfc6265bis.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/draft-ietf-httpbis-rfc6265bis.md b/draft-ietf-httpbis-rfc6265bis.md index 441f697e1..d9ae96849 100644 --- a/draft-ietf-httpbis-rfc6265bis.md +++ b/draft-ietf-httpbis-rfc6265bis.md @@ -2156,8 +2156,7 @@ The "Cookie Attribute Registry" will be updated with the registrations below: . * Fixed serialization for nameless/valueless cookies: - . + . * Converted a normative reference to Mozilla's Public Suffix List {{PSL}} into an informative reference: