[OAUTH-WG] OAuth for Browser-Based Apps BCP
Aaron Parecki <aaron@parecki.com> Thu, 25 June 2026 23:52 UTC
Return-Path: <aaron@parecki.com>
X-Original-To: oauth@mail2.ietf.org
Delivered-To: oauth@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id CCC8E1079C7A1 for <oauth@mail2.ietf.org>; Thu, 25 Jun 2026 16:52:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1782431531; bh=3ZWgL9MzuaMED/kz/Lri40/I32uGIg1/1Fr4kmpeRlE=; h=From:Date:Subject:To; b=QAuVlp8Tn2Hu5AxxZLt9kXlNMGEJdaZ6uewUAM7NU2Ex9t/IXlo72KhPiKH+ukBNf huPDnHg9ybT9NF1MyVybTPKmWv+8xiMLl+obytaYJcn7dzxJFTQ/F2AwGiO0urIilo 8+IvvVu4PbNEa0ENnVma2mD5pGDnd3nzmfpozGt8=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.089
X-Spam-Level:
X-Spam-Status: No, score=-2.089 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=parecki.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IoLf8dQROVEb for <oauth@mail2.ietf.org>; Thu, 25 Jun 2026 16:52:11 -0700 (PDT)
Received: from mail-lf1-x133.google.com (mail-lf1-x133.google.com [IPv6:2a00:1450:4864:20::133]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 99C801079C60E for <oauth@ietf.org>; Thu, 25 Jun 2026 16:50:28 -0700 (PDT)
Received: by mail-lf1-x133.google.com with SMTP id 2adb3069b0e04-5ad4a5647e5so198212e87.3 for <oauth@ietf.org>; Thu, 25 Jun 2026 16:50:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki.com; s=google; t=1782431427; x=1783036227; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=3ZWgL9MzuaMED/kz/Lri40/I32uGIg1/1Fr4kmpeRlE=; b=GlCB/eo5HILWnfL5ZJt0trt420syZ4ewdkdxWq9KSLH7PAcXWAiTt5SL0UwhqPoIoJ 6FviU8Fo4WJonzOhH2bDFnhubJ8pTuRWPIbosdHHaCNa6bxZ7biOZ3RMzJyrDM0fShMi eGLesq1wiq7ofxq7hYOeTerdu3uW6wsdkESGe6Vjy8bKOdGi27KvQ05cZJc0OFZ4/NUo d+5HJlfZUMX7NFPYjwnTYTIjQRsFKnhQ+sUxgPQnOyQibKJ6rZemKZVh0nvkGzZx6Rg/ gDeycHzBwYZpMLCEKVR0jaJHwUxqYQl1mndFZcUkPnNm/mdJ1DNBCsF7xt6PQe0WK8Bb fbFQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782431427; x=1783036227; h=to:subject:message-id:date:from:mime-version:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=3ZWgL9MzuaMED/kz/Lri40/I32uGIg1/1Fr4kmpeRlE=; b=ae8Ppr7cKS6kL154M3K1jmBX2AdsfjLZk2vBOqFdYRB7C5jAtuCnwEupMi3pPfhn6j DPFZTtiQKmi8Lavv6+I2jrhbwtB1Gk43HTCLUQk9AKsB/baddLjJgA36zHooKqL4GqhV wK42/LBxswykH9LVMYniwSFKiqkWDv0mXySEjF24cwZH7KJnVyf6uInL69QgBKB0qUE9 5vxQicyQbaamuPvLev8ljq7ZYTyMrjxpDQ5uxGCW8dydpR77mdrnNulXIpMYsTY9h5Wj /g56QEauCnufAEZGR2Bu+ddarzwVshcRL0bvlDZefPhyvA/DimNUa26mtHdY3X0b/KKC tAdw==
X-Gm-Message-State: AOJu0Yz5BQnNy3xxHyvcrLiwFbyqmC/fYV3jAp7Yrp4uARuc0jVrfM4E HC7vEurOtlBMIOCKXT3SeN83jsl+l78LU6dmvi3KeCP/TE5s9zDPVVRmVgJt2BbnW3f+IL63bR2 AdK7yaQ==
X-Gm-Gg: AfdE7ckrA4yyfhVqLiQiS4KVIPbiM69fiUQH3a9JKivdR0UzfKbeSHRVbgs2s2AHMW0 OZs8txLa3tGQh/SNNQOb3GbxzIM80E4p+zZcphBYBmWPPxtsBjocNEL/pxAOFA/2g+vufLjNSdn hVWP/3F2+3JnDjT6UHVMEeMMkFaPKH8w9HwDxh5z6X4dN4NAX0N0cLZkGPIym7qFcAyUbS9Dpzj +PDp6p69rbeQAVNd1UJaS9MATIxdKWccowMiu7o0UlNkTde25xgUAlc5ncvmvpxwT0rDteBshaA sWE9dD/byQWBRfoUp0qC7feea90Sdk2idcBNpi6saXlBIm3cE3HiP4HOVnwpwAPR067haB7YaRE MhvrZr9PrkEjxN+QqWt3as0Uoz4j43KN/srMmieLE2w50NqzCmFWHCiCzdiqRT42h3653gAzqnq vsGYaOjXx4j2OXRPGtJZ8m4aNmBO8ZQmLzBBszepjyKEyqNiP5tTMvHgaql+4O
X-Received: by 2002:a05:6512:4203:b0:5ae:9d23:2887 with SMTP id 2adb3069b0e04-5aea1f4b643mr1389214e87.32.1782431427117; Thu, 25 Jun 2026 16:50:27 -0700 (PDT)
Received: from mail-lj1-f178.google.com (mail-lj1-f178.google.com. [209.85.208.178]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-5ad6958599csm2981206e87.73.2026.06.25.16.50.25 for <oauth@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 25 Jun 2026 16:50:26 -0700 (PDT)
Received: by mail-lj1-f178.google.com with SMTP id 38308e7fff4ca-39676ff4674so4019751fa.0 for <oauth@ietf.org>; Thu, 25 Jun 2026 16:50:25 -0700 (PDT)
X-Received: by 2002:a05:651c:324d:b0:393:e369:9cf0 with SMTP id 38308e7fff4ca-39acb6c8d0emr12389871fa.26.1782431425369; Thu, 25 Jun 2026 16:50:25 -0700 (PDT)
MIME-Version: 1.0
From: Aaron Parecki <aaron@parecki.com>
Date: Thu, 25 Jun 2026 16:50:14 -0700
X-Gmail-Original-Message-ID: <CAGBSGjrufOEq3H6fpTcU9BfpJvQAb1Wd2+WYZQs5r0XosU4Otg@mail.gmail.com>
X-Gm-Features: AVVi8CeBobtTwMhUrg3tclIxZ18VWwLRw1AIAw5w_73zRVsEfNaBn73x-YZusUo
Message-ID: <CAGBSGjrufOEq3H6fpTcU9BfpJvQAb1Wd2+WYZQs5r0XosU4Otg@mail.gmail.com>
To: OAuth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f21dfe06551ca769"
Message-ID-Hash: XID4BLIRY4WI2ES3SXSBLAXYTALRMOLQ
X-Message-ID-Hash: XID4BLIRY4WI2ES3SXSBLAXYTALRMOLQ
X-MailFrom: aaron@parecki.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] OAuth for Browser-Based Apps BCP
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/suWZccx_iglGGCDicrS2_omijUM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
Hi all,
As you probably know, the "OAuth for Browser-Based Apps BCP" document has
been stuck in the editor's queue for almost a year waiting on the
publication of RFC6265bis. In the meantime, the HTTPbis working group has
revised the recommendation in RFC6265bis that we reference, changing the
recommendation from prefixing cookies with "__Host-" to "__Host-Http-" in a
new document draft-ietf-httpbis-layered-cookies.
Given that we want to update the recommendation to the most current, but
also don't want to be held up until the new draft-ietf-httpbis-layered-cookies
is published as an RFC, we were considering options to make the text
non-normative so that we can continue with publication without waiting on
these.
How do folks feel about revising the recommendation in the Browser Apps BCP
to the following?
> The BFF SHOULD start the name of its cookies with a prefix indicating the
> cookie was set via HTTP, for example by using the `__Host-Http-` prefix
> defined in {{-draft-ietf-httpbis-layered-cookies}}
This text is based on the definition of the __Host-Http prefix from the
draft:
https://www.ietf.org/archive/id/draft-ietf-httpbis-layered-cookies-02.html#section-4.1.3.4
This helps developers and server operators to know that the cookie was set
> using a Set-Cookie header, and is limited in scope to HTTP requests.
This removes the normative dependency on the cookies drafts and makes it an
example instead, which would enable us to proceed with publication.
Aaron
- [OAUTH-WG] OAuth for Browser-Based Apps BCP Aaron Parecki
- [OAUTH-WG] Re: OAuth for Browser-Based Apps BCP Judith Kahrer
- [OAUTH-WG] Re: OAuth for Browser-Based Apps BCP george
- [OAUTH-WG] Re: OAuth for Browser-Based Apps BCP Neil Madden
- [OAUTH-WG] Re: OAuth for Browser-Based Apps BCP Dhruv Agnihotri
- [OAUTH-WG] Re: OAuth for Browser-Based Apps BCP Philippe De Ryck
- [OAUTH-WG] Re: OAuth for Browser-Based Apps BCP Aaron Parecki
- [OAUTH-WG] Re: OAuth for Browser-Based Apps BCP Deb Cooley
- [OAUTH-WG] Re: OAuth for Browser-Based Apps BCP Aaron Parecki