Re: RFC6265 - Difference between RFC and implementation with regards to host-only-flag from Mike West on 2016-06-21 (ietf-http-wg@w3.org from April to June 2016)

From: Mike West <mkwst@google.com>
Date: Tue, 21 Jun 2016 14:42:04 +0200
To: Matthew Cox <macox@microsoft.com>, Mark Nottingham <mnot@mnot.net>
Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <CAKXHy=fOvttjSo4v1iusKcpQ1=-OuFLJKvQEPmtKHjAXYC-dnA@mail.gmail.com>

On Fri, Jun 3, 2016 at 6:31 PM, Matthew Cox <macox@microsoft.com> wrote:

> We noticed that the host-only-flag behavior is different in most browsers
> vs the RFC, and I’d like to get this updated with new work being done on
> the cookie RFC.
>
>
>
> Given these two headers in a response from a request to
> http://contoso.com/:
>
>
>
> Set-Cookie: mycookie=nothostonly; domain=contoso.com
>
> Set-Cookie: mycookie=hostonly
>
>
>
> You would expect one cookie based on RFC 6265 section 5.3 where the cookie
> is defined by the name, domain, and path.
>
>
>
> However, most browsers will create two cookies since they take
> host-only-flag into account when looking up/creating a cookie.
>
>
>
> Based on this I’d like to update section 5.3 and 4.1.2 to add
> host-only-flag to the list of properties that make a unique cookie in the
> store.
>

This seems like a reasonable change to me, and I believe it matches
Chrome's existing behavior.


> What’s the best way to get this added?  Should I create an issue in GitHub?
>

I'd say file an issue against
https://github.com/httpwg/http-extensions/issues; not sure if this is a
substantial enough change to require more than that. Mark?

-mike

-mike

On Fri, Jun 3, 2016 at 6:31 PM, Matthew Cox <macox@microsoft.com> wrote:

> We noticed that the host-only-flag behavior is different in most browsers
> vs the RFC, and I’d like to get this updated with new work being done on
> the cookie RFC.
>
>
>
> Given these two headers in a response from a request to
> http://contoso.com/:
>
>
>
> Set-Cookie: mycookie=nothostonly; domain=contoso.com
>
> Set-Cookie: mycookie=hostonly
>
>
>
> You would expect one cookie based on RFC 6265 section 5.3 where the cookie
> is defined by the name, domain, and path.
>
>
>
> However, most browsers will create two cookies since they take
> host-only-flag into account when looking up/creating a cookie.
>
>
>
> Based on this I’d like to update section 5.3 and 4.1.2 to add
> host-only-flag to the list of properties that make a unique cookie in the
> store.
>
>
>
> What’s the best way to get this added?  Should I create an issue in GitHub?
>
>
>
> Thanks,
>
>
>
> Matthew
>
>
>

Received on Tuesday, 21 June 2016 12:42:54 UTC