Re: inconsistency in draft-ietf-httpbis-rfc6265bis-07 SameSite default treatment?
Brian Campbell <bcampbell@pingidentity.com> Tue, 25 May 2021 14:17 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB9AE3A0C0E for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 25 May 2021 07:17:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.748
X-Spam-Level:
X-Spam-Status: No, score=-2.748 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nimwbfLXlPz7 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 25 May 2021 07:16:57 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C9E093A0A42 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 25 May 2021 07:16:57 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1llXpQ-000408-Di for ietf-http-wg-dist@listhub.w3.org; Tue, 25 May 2021 14:14:40 +0000
Resent-Date: Tue, 25 May 2021 14:14:40 +0000
Resent-Message-Id: <E1llXpQ-000408-Di@lyra.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <bcampbell@pingidentity.com>) id 1llXpM-0003yi-V8 for ietf-http-wg@listhub.w3.org; Tue, 25 May 2021 14:14:36 +0000
Received: from mail-lj1-f180.google.com ([209.85.208.180]) by titan.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <bcampbell@pingidentity.com>) id 1llXpF-0007ZJ-KP for ietf-http-wg@w3.org; Tue, 25 May 2021 14:14:31 +0000
Received: by mail-lj1-f180.google.com with SMTP id p20so38330542ljj.8 for <ietf-http-wg@w3.org>; Tue, 25 May 2021 07:14:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=r632Vl6D6Ui1muj1DJ6H5yooBXm2gvSyXDGov/hH6RA=; b=BPdYOXaM/Z67A00EiNlAr5AadfGDBCefGk1rgvp06pVpV9EWi+tRCvt97w2j7Bixlu cu+ip96dXQ7JYlS+ntCdpO3R2kbgtB+DiQf5XGQtLF24iAckPHm0gMI7IELH+Nt3MDi3 NaW39WD7gZB8w+2F7OVkX0aQt2QXRsBn69IKoUQJqPtCnBDLp3LEj6619pPRW0E2UeAm jJL44c/b63X1QOlnG4d18/h+njqNt+OmfRKc2yZfSzrUjUYCWsEullNKMX1/aP9lh/55 MuEni8IXUPQyJZIfwUXV9OP7FiTacPqiwh89X0OC8kA9GcuqMaeadNbZlSj94Uiq61y1 zf4w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=r632Vl6D6Ui1muj1DJ6H5yooBXm2gvSyXDGov/hH6RA=; b=loY4U/5TYzlCrRflZOtSgu1b2qGgAFn8x4ANkuSvBlMG0BLY4L4ce9b/HLuLP7arV4 qA+sR5EYaWntMia+ZVqHpMRC4+aWzSoPBL8xpx3WBnjutjhAYY4GpuNW2DH8uEqKKYUe hjwFPzpP0bt9p0ctmqv8+kSuOnESqc1QarJ1sZ7QyWAFFaGaVADfLHYReaCPWLKcRa79 Kp0B02UA59sUCoRdlUuWanc7vv+cFaf1ndeFz8XyvcL2bsHbG+u93teLKLUy81TTixxw Bjb+xLFovC0Qws6KoqY7h4Xnj9ZdjDo9bU7gosAitHjrG6Qcru9bMfCO/pNieEKopF7V GGtw==
X-Gm-Message-State: AOAM531h+/rNdwQs1vl6HHYiZbJxUw6z37bKPXrG2UgUVlTxSOhzVQtn na1Ky86AKUT8BQ+fcJqwldspkOC3M6qjx1rLxlLjwbl75nLjXC3KiCrZVWX5Whgs8SRbqvI9tHL ltl9L3K1R8dRBuNhY9b9cwqahEg==
X-Google-Smtp-Source: ABdhPJxfRGPJdm5NULBgH1GBSr6iz4+3xwDGdMC0Xhx+SLLu4j+erLtLCVFr9XGqyaglmwOi+2lhwxjb10rok/zXpTU=
X-Received: by 2002:a05:651c:232:: with SMTP id z18mr21591931ljn.489.1621951992963; Tue, 25 May 2021 07:13:12 -0700 (PDT)
MIME-Version: 1.0
References: <CA+k3eCQ0rxXJXuBV48H0i_wVMXw_sNxExj1nZhCPMBw+MbMs+Q@mail.gmail.com> <CAE24Oxzg-2OoA5ogx2s-OV2G3Zb4xyhKaZx3v7y8H-_fCrWnmQ@mail.gmail.com> <CAE24Oxwgqwkf1vFL7+PYDUnuoYrTYPgd5pgbPoJKuop4_KShVw@mail.gmail.com>
In-Reply-To: <CAE24Oxwgqwkf1vFL7+PYDUnuoYrTYPgd5pgbPoJKuop4_KShVw@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 25 May 2021 08:12:46 -0600
Message-ID: <CA+k3eCRZquOtr64pqXJc-XFsGV95qpNz=VeBnS6upyn8Lvfgqg@mail.gmail.com>
To: Lily Chen <chlily@google.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="0000000000006238e605c32820d5"
Received-SPF: pass client-ip=209.85.208.180; envelope-from=bcampbell@pingidentity.com; helo=mail-lj1-f180.google.com
X-W3C-Hub-DKIM-Status: validation passed: (address=bcampbell@pingidentity.com domain=pingidentity.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-5.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1llXpF-0007ZJ-KP 4f0f87536722fdf6f97331d1a57cdff3
X-Original-To: ietf-http-wg@w3.org
Subject: Re: inconsistency in draft-ietf-httpbis-rfc6265bis-07 SameSite default treatment?
Archived-At: <https://www.w3.org/mid/CA+k3eCRZquOtr64pqXJc-XFsGV95qpNz=VeBnS6upyn8Lvfgqg@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/38818
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Thanks Lily, and sorry for the noise. I should have checked the editor's draft before asking about it on list. On Fri, May 21, 2021 at 3:29 PM Lily Chen <chlily@google.com> wrote: > Following up on this, it looks like it was already removed > <https://github.com/httpwg/http-extensions/commit/c467bb923e727f7b03e5a7b6430c5fc91445aa1d#diff-c96f4fab694f25d91c3ae6f4cd68ae735dbcb33dcbb2f4b79a13675b293caa7b> > (thanks Filippo!) and will be reflected in the -08 version of the draft. > > On Fri, May 7, 2021 at 5:21 PM Lily Chen <chlily@google.com> wrote: > >> Thanks for pointing that out! You're correct, the note should have been >> removed or updated. I'll fix that! >> >> On Fri, May 7, 2021 at 3:26 PM Brian Campbell <bcampbell@pingidentity.com> >> wrote: >> >>> Looking at parts of draft-ietf-httpbis-rfc6265bis-07 today I noticed >>> what is maybe a little inconsistency around the treatment of the default >>> for SameSite. >>> >>> >>> https://www.ietf.org/archive/id/draft-ietf-httpbis-rfc6265bis-07.html#section-4.1.2.7 >>> has: >>> 'If the "SameSite" attribute's value is something other than these three >>> known keywords, the attribute's value will be subject to a default >>> enforcement mode that is equivalent to "Lax".' >>> and parts of >>> https://www.ietf.org/archive/id/draft-ietf-httpbis-rfc6265bis-07.html#section-5.5 >>> and >>> https://www.ietf.org/archive/id/draft-ietf-httpbis-rfc6265bis-07.html#name-draft-ietf-httpbis-rfc6265bis-07 >>> also suggest Lax as the default. As does (relatively recent) current >>> behaviour from most/all browsers. >>> >>> but >>> https://www.ietf.org/archive/id/draft-ietf-httpbis-rfc6265bis-07.html#section-5.3.7 >>> ends with this sentence that looks like it's maybe left over from when the >>> default enforcement mode was "None": >>> 'Note: This algorithm maps the "None" value, as well as any unknown >>> value, to the "None" behavior, which is helpful for backwards compatibility >>> when introducing new variants.' >>> >>> >>> >>> >>> *CONFIDENTIALITY NOTICE: This email may contain confidential and >>> privileged material for the sole use of the intended recipient(s). Any >>> review, use, distribution or disclosure by others is strictly prohibited. >>> If you have received this communication in error, please notify the sender >>> immediately by e-mail and delete the message and any file attachments from >>> your computer. Thank you.* >> >> -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- inconsistency in draft-ietf-httpbis-rfc6265bis-07… Brian Campbell
- Re: inconsistency in draft-ietf-httpbis-rfc6265bi… Lily Chen
- Re: inconsistency in draft-ietf-httpbis-rfc6265bi… Lily Chen
- Re: inconsistency in draft-ietf-httpbis-rfc6265bi… Brian Campbell