Re: [httpwg/http-extensions] SameSite Cookie Attribute - Is attribute-value required? (#389)
HTTP issue updates <http-issues@ietf.org> Thu, 07 September 2017 17:19 UTC
Delivered-To: http-issues@ietfa.amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.019
X-Spam-Level:
X-Spam-Status: No, score=-2.019 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=github.com; h=from:reply-to:to:cc:in-reply-to:references:subject:mime-version:content-type:content-transfer-encoding:list-id:list-archive:list-post:list-unsubscribe; s=s20150108; bh=x62OKt1gQakMgFD/I660HxJR79I=; b=Cz2OuCc1b7RPc+xo x9RaofM/bOekvafK8Uz1J712T4nvAjKlsd1LL4rv0Gw8mXCpYSJjR3vdqmRtIzUr LeJ3DyiHINnoMHacBjkTo/gY0nqFj6QziNLjDHRzmEZeI32BDeVOvUmRcaWUlDHM mGtxCBNZARXNr4pNAporHmIBOcU=
Date: Thu, 07 Sep 2017 17:19:15 +0000
To: httpwg/http-extensions <http-extensions@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
In-Reply-To: <httpwg/http-extensions/issues/389@github.com>
References: <httpwg/http-extensions/issues/389@github.com>
Subject: Re: [httpwg/http-extensions] SameSite Cookie Attribute - Is attribute-value required? (#389)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_59b17ef8275eb_25c253f8470b0dc3496776"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
Archived-At: <https://mailarchive.ietf.org/arch/msg/http-issues/p4nTVG9Cn2A_s8TrtP9pyDuTmLs>
Message-ID: <mailman.802.1504804763.3809.http-issues@ietf.org>
From: HTTP issue updates <http-issues@ietf.org>
Reply-To: http-issues@ietf.org
X-BeenThere: http-issues@ietf.org
X-Mailman-Version: 2.1.22
List-Id: HTTP issue updates <http-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-issues>, <mailto:http-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/http-issues/>
List-Post: <mailto:http-issues@ietf.org>
List-Help: <mailto:http-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-issues>, <mailto:http-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Sep 2017 17:19:22 -0000
Ah. https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00 draft is outdated vs. https://github.com/httpwg/http-extensions/edit/master/draft-ietf-httpbis-cookie-same-site.md. The latter no longer allows a bare "SameSite" token, and it calls for the cookie to be dropped in the event that the samesite-value isn't either "strict" or "lax". However, I think this text isn't quite right: If `cookie-av`'s `attribute-value` is not a case-insensitive match for "Strict" or "Lax", ignore the `cookie-av`. The `cookie-av` in this case is 'SameSite=whatever' and we want to ignore the whole cookie, not just the invalid attribute? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/httpwg/http-extensions/issues/389#issuecomment-327865650
- [httpwg/http-extensions] SameSite Cookie Attribut… HTTP issue updates
- Re: [httpwg/http-extensions] SameSite Cookie Attr… HTTP issue updates
- Re: [httpwg/http-extensions] SameSite Cookie Attr… HTTP issue updates
- Re: [httpwg/http-extensions] SameSite Cookie Attr… HTTP issue updates