RFC6265 - Difference between RFC and implementation with regards to host-only-flag from Matthew Cox on 2016-06-03 (ietf-http-wg@w3.org from April to June 2016)

From: Matthew Cox <macox@microsoft.com>
Date: Fri, 3 Jun 2016 16:31:56 +0000
To: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <BY2PR0301MB1607ABECD702C06529B4D0BAB9590@BY2PR0301MB1607.namprd03.prod.outlook.>

We noticed that the host-only-flag behavior is different in most browsers vs the RFC, and I'd like to get this updated with new work being done on the cookie RFC.

Given these two headers in a response from a request to http://contoso.com/:

Set-Cookie: mycookie=nothostonly; domain=contoso.com
Set-Cookie: mycookie=hostonly

You would expect one cookie based on RFC 6265 section 5.3 where the cookie is defined by the name, domain, and path.

However, most browsers will create two cookies since they take host-only-flag into account when looking up/creating a cookie.

Based on this I'd like to update section 5.3 and 4.1.2 to add host-only-flag to the list of properties that make a unique cookie in the store.

What's the best way to get this added?  Should I create an issue in GitHub?

Thanks,

Matthew

Received on Friday, 3 June 2016 16:32:32 UTC