W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2017

draft-ietf-httpbis-rfc6265bis-01, 4.1.3.1. The "__Secure-" Prefix

From: Kari Hurtta <hurtta-ietf@elmme-mailer.org>
Date: Tue, 25 Apr 2017 20:29:33 +0300 (EEST)
To: HTTP working group mailing list <ietf-http-wg@w3.org>
CC: Kari Hurtta <hurtta-ietf@elmme-mailer.org>
Message-Id: <20170425172934.715632BEC3@welho-filter1.welho.com>
HTTP State Management Mechanism
https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-01

4.1.3.1.  The "__Secure-" Prefix
https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-01#section-4.1.3.1


|   Whereas the following "Set-Cookie" header would be accepted:
|
|   Set-Cookie: __Secure-SID=12345; Domain=example.com; Secure

=> 

|   While the would be accepted if set from a secure origin (e.g.
|   "https://example.com/"), and rejected otherwise:
|
|   Set-Cookie: __Secure-SID=12345; Domain=example.com; Secure


Sama than on   4.1.3.2.  The "__Host-" Prefix

There is on

5.3.  Storage Model
https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-01#section-5.3

|   9.   If the scheme component of the request-uri does not denote a
|        "secure" protocol (as defined by the user agent), and the
|        cookie's secure-only-flag is true, then abort these steps and
|        ignore the cookie entirely.

/ Kari Hurtta
Received on Tuesday, 25 April 2017 17:30:09 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:15:03 UTC