RE: RFC6265 - Difference between RFC and implementation with regards to host-only-flag from Matthew Cox on 2016-06-21 (ietf-http-wg@w3.org from April to June 2016)

From: Matthew Cox <macox@microsoft.com>
Date: Tue, 21 Jun 2016 16:19:36 +0000
To: Mike West <mkwst@google.com>, Mark Nottingham <mnot@mnot.net>
CC: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <BN3PR03MB226094472B2B74AD25D2C93BB92B0@BN3PR03MB2260.namprd03.prod.outlook.com>

Thanks Mike!

I have already filed an issue: https://github.com/httpwg/http-extensions/issues/199.


Please let me know if something else needs to be done to get this updated.

Thanks,

Matthew

From: Mike West [mailto:mkwst@google.com]
Sent: Tuesday, June 21, 2016 5:42 AM
To: Matthew Cox <macox@microsoft.com>; Mark Nottingham <mnot@mnot.net>
Cc: ietf-http-wg@w3.org
Subject: Re: RFC6265 - Difference between RFC and implementation with regards to host-only-flag

On Fri, Jun 3, 2016 at 6:31 PM, Matthew Cox <macox@microsoft.com<mailto:macox@microsoft.com>> wrote:

We noticed that the host-only-flag behavior is different in most browsers vs the RFC, and I’d like to get this updated with new work being done on the cookie RFC.



Given these two headers in a response from a request to http://contoso.com/:




Set-Cookie: mycookie=nothostonly; domain=contoso.com<http://contoso.com>

Set-Cookie: mycookie=hostonly



You would expect one cookie based on RFC 6265 section 5.3 where the cookie is defined by the name, domain, and path.



However, most browsers will create two cookies since they take host-only-flag into account when looking up/creating a cookie.



Based on this I’d like to update section 5.3 and 4.1.2 to add host-only-flag to the list of properties that make a unique cookie in the store.

This seems like a reasonable change to me, and I believe it matches Chrome's existing behavior.


What’s the best way to get this added?  Should I create an issue in GitHub?

I'd say file an issue against https://github.com/httpwg/http-extensions/issues; not sure if this is a substantial enough change to require more than that. Mark?

-mike

-mike

On Fri, Jun 3, 2016 at 6:31 PM, Matthew Cox <macox@microsoft.com<mailto:macox@microsoft.com>> wrote:
We noticed that the host-only-flag behavior is different in most browsers vs the RFC, and I’d like to get this updated with new work being done on the cookie RFC.

Given these two headers in a response from a request to http://contoso.com/:


Set-Cookie: mycookie=nothostonly; domain=contoso.com<http://contoso.com>
Set-Cookie: mycookie=hostonly

You would expect one cookie based on RFC 6265 section 5.3 where the cookie is defined by the name, domain, and path.

However, most browsers will create two cookies since they take host-only-flag into account when looking up/creating a cookie.

Based on this I’d like to update section 5.3 and 4.1.2 to add host-only-flag to the list of properties that make a unique cookie in the store.

What’s the best way to get this added?  Should I create an issue in GitHub?

Thanks,

Matthew

Received on Tuesday, 21 June 2016 16:20:08 UTC