inconsistency in draft-ietf-httpbis-rfc6265bis-07 SameSite default treatment?
Brian Campbell <bcampbell@pingidentity.com> Fri, 07 May 2021 19:25 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 330F43A2F68 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 7 May 2021 12:25:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.77
X-Spam-Level:
X-Spam-Status: No, score=-2.77 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 06-fkQzOENRu for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 7 May 2021 12:25:44 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C89AE3A2F66 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 7 May 2021 12:25:44 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1lf64K-0007DI-1f for ietf-http-wg-dist@listhub.w3.org; Fri, 07 May 2021 19:23:24 +0000
Resent-Date: Fri, 07 May 2021 19:23:24 +0000
Resent-Message-Id: <E1lf64K-0007DI-1f@lyra.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <bcampbell@pingidentity.com>) id 1lf64H-0007CR-UN for ietf-http-wg@listhub.w3.org; Fri, 07 May 2021 19:23:21 +0000
Received: from mail-lf1-x130.google.com ([2a00:1450:4864:20::130]) by mimas.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <bcampbell@pingidentity.com>) id 1lf64F-00019o-Kl for ietf-http-wg@w3.org; Fri, 07 May 2021 19:23:21 +0000
Received: by mail-lf1-x130.google.com with SMTP id n138so14245492lfa.3 for <ietf-http-wg@w3.org>; Fri, 07 May 2021 12:23:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:from:date:message-id:subject:to; bh=AcNuHyt+RgK7lTCWDT3IxI/El78JPMLjAvVy3nYJNug=; b=F02xD0IEs0pv9Mm2zrfepQ+wgwGzroY3XACzihrbOTwcQO2Su2EiIb4V9rB/ay+vLe KTVMLe5Nchl/22VHCbLwaE5TaBHc1qTpIsurYHC5baQxCzveyqa272Wxjw5ZPq3cGx/4 bl+BwKNZCWAerLL+1QEgDn3FDgUFFkTPtk5ghSyvp+rpsbX01gbqG9IheYS9zw5Mc0PJ UqHYoN7m3isnqCHVfK98r8KjuISNouGW/tqlO5hk9KCWWPutVjIWnxoAgpayFfC0pEdk IcaCZC7MX2VYJZIVsnMeWgYbg1cLj/m5fgDh2OlKxWI66kf7FODJTcvExYNKCSZKw72D krwA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=AcNuHyt+RgK7lTCWDT3IxI/El78JPMLjAvVy3nYJNug=; b=ruJRidoilvLhFemvXQXPd3FLAodMkIhAo29SeuTfz0VNcFTsToyDT9v56JdH2xyv8d 1F7EYMLu+al+3vI7GTWqJri9IChFhEnnE7t8C8nCweiMTRRMPSm8dh2hhU4Gr4txlxOT sb3jQUKMAKJljBJuV2bOn/Xg3amy9DK0vNI9tu9MBk+FT6PSH2B2nqPSPAV1aT0/0Hwl 6+LsEhhgfLIjPeAZmLpGGbeF3epLL0skTmsJbKBNpG4wEHvu9alzBag84D19r7guur0K 5+vzbULNVK9W8JdFnzB4zLgqN5r8z3GwRQKlImxzHZ6cef94b3Ff5chXitZYzg/Qu7DA 2Rsg==
X-Gm-Message-State: AOAM531lf4mpK0a82AprN29n8hsBHoHwxVdtxV9iyNkQAC14btjP4FZp b/+FTEjtX/ljcp9PwwEJdkwlEymK7+m1cFUYFd+HRZpnQPAmuNIEttulz35KJLF8bJMm8sZvsp6 Jp2jRJGuzO+IlMAdNyCqGczxNLz5A
X-Google-Smtp-Source: ABdhPJxFOeDwe46cLeAe/ZMtLSrG81ui0JenSx5GZsitGoA4bmaGCDnnB0boTGs2v1OEbmowM/4crXtLDE+iFzzDnwQ=
X-Received: by 2002:a05:6512:3f08:: with SMTP id y8mr7482668lfa.657.1620415387219; Fri, 07 May 2021 12:23:07 -0700 (PDT)
MIME-Version: 1.0
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 07 May 2021 13:22:41 -0600
Message-ID: <CA+k3eCQ0rxXJXuBV48H0i_wVMXw_sNxExj1nZhCPMBw+MbMs+Q@mail.gmail.com>
To: HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="0000000000008b535705c1c25bfd"
Received-SPF: pass client-ip=2a00:1450:4864:20::130; envelope-from=bcampbell@pingidentity.com; helo=mail-lf1-x130.google.com
X-W3C-Hub-DKIM-Status: validation passed: (address=bcampbell@pingidentity.com domain=pingidentity.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-5.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1lf64F-00019o-Kl 95c22f791addefa028a38960023baef0
X-Original-To: ietf-http-wg@w3.org
Subject: inconsistency in draft-ietf-httpbis-rfc6265bis-07 SameSite default treatment?
Archived-At: <https://www.w3.org/mid/CA+k3eCQ0rxXJXuBV48H0i_wVMXw_sNxExj1nZhCPMBw+MbMs+Q@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/38782
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Looking at parts of draft-ietf-httpbis-rfc6265bis-07 today I noticed what is maybe a little inconsistency around the treatment of the default for SameSite. https://www.ietf.org/archive/id/draft-ietf-httpbis-rfc6265bis-07.html#section-4.1.2.7 has: 'If the "SameSite" attribute's value is something other than these three known keywords, the attribute's value will be subject to a default enforcement mode that is equivalent to "Lax".' and parts of https://www.ietf.org/archive/id/draft-ietf-httpbis-rfc6265bis-07.html#section-5.5 and https://www.ietf.org/archive/id/draft-ietf-httpbis-rfc6265bis-07.html#name-draft-ietf-httpbis-rfc6265bis-07 also suggest Lax as the default. As does (relatively recent) current behaviour from most/all browsers. but https://www.ietf.org/archive/id/draft-ietf-httpbis-rfc6265bis-07.html#section-5.3.7 ends with this sentence that looks like it's maybe left over from when the default enforcement mode was "None": 'Note: This algorithm maps the "None" value, as well as any unknown value, to the "None" behavior, which is helpful for backwards compatibility when introducing new variants.' -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- inconsistency in draft-ietf-httpbis-rfc6265bis-07… Brian Campbell
- Re: inconsistency in draft-ietf-httpbis-rfc6265bi… Lily Chen
- Re: inconsistency in draft-ietf-httpbis-rfc6265bi… Lily Chen
- Re: inconsistency in draft-ietf-httpbis-rfc6265bi… Brian Campbell