Re: inconsistency in draft-ietf-httpbis-rfc6265bis-07 SameSite default treatment? from Lily Chen on 2021-05-21 (ietf-http-wg@w3.org from April to June 2021)

From: Lily Chen <chlily@google.com>
Date: Fri, 21 May 2021 17:29:34 -0400
To: Brian Campbell <bcampbell@pingidentity.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAE24Oxwgqwkf1vFL7+PYDUnuoYrTYPgd5pgbPoJKuop4_KShVw@mail.gmail.com>

Following up on this, it looks like it was already removed
<https://github.com/httpwg/http-extensions/commit/c467bb923e727f7b03e5a7b6430c5fc91445aa1d#diff-c96f4fab694f25d91c3ae6f4cd68ae735dbcb33dcbb2f4b79a13675b293caa7b>
(thanks Filippo!) and will be reflected in the -08 version of the draft.

On Fri, May 7, 2021 at 5:21 PM Lily Chen <chlily@google.com> wrote:

> Thanks for pointing that out! You're correct, the note should have been
> removed or updated. I'll fix that!
>
> On Fri, May 7, 2021 at 3:26 PM Brian Campbell <bcampbell@pingidentity.com>
> wrote:
>
>> Looking at parts of draft-ietf-httpbis-rfc6265bis-07 today I noticed what
>> is maybe a little inconsistency around the treatment of the default for
>> SameSite.
>>
>>
>> https://www.ietf.org/archive/id/draft-ietf-httpbis-rfc6265bis-07.html#section-4.1.2.7
>> has:
>> 'If the "SameSite" attribute's value is something other than these three
>> known keywords, the attribute's value will be subject to a default
>> enforcement mode that is equivalent to "Lax".'
>> and parts of
>> https://www.ietf.org/archive/id/draft-ietf-httpbis-rfc6265bis-07.html#section-5.5
>> and
>> https://www.ietf.org/archive/id/draft-ietf-httpbis-rfc6265bis-07.html#name-draft-ietf-httpbis-rfc6265bis-07
>> also suggest Lax as the default. As does (relatively recent) current
>> behaviour from most/all browsers.
>>
>> but
>> https://www.ietf.org/archive/id/draft-ietf-httpbis-rfc6265bis-07.html#section-5.3.7
>> ends with this sentence that looks like it's maybe left over from when the
>> default enforcement mode was "None":
>> 'Note: This algorithm maps the "None" value, as well as any unknown
>> value, to the "None" behavior, which is helpful for backwards compatibility
>> when introducing new variants.'
>>
>>
>>
>>
>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>> privileged material for the sole use of the intended recipient(s). Any
>> review, use, distribution or disclosure by others is strictly prohibited.
>> If you have received this communication in error, please notify the sender
>> immediately by e-mail and delete the message and any file attachments from
>> your computer. Thank you.*
>
>

Received on Friday, 21 May 2021 21:30:58 UTC