draft-ietf-httpbis-rfc6265bis-01, 4.1.3.1. The "__Secure-" Prefix from Kari Hurtta on 2017-04-25 (ietf-http-wg@w3.org from April to June 2017)

From: Kari Hurtta <hurtta-ietf@elmme-mailer.org>
Date: Tue, 25 Apr 2017 20:29:33 +0300 (EEST)
To: HTTP working group mailing list <ietf-http-wg@w3.org>
CC: Kari Hurtta <hurtta-ietf@elmme-mailer.org>
Message-Id: <20170425172934.715632BEC3@welho-filter1.welho.com>

HTTP State Management Mechanism
https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-01

4.1.3.1.  The "__Secure-" Prefix
https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-01#section-4.1.3.1


|   Whereas the following "Set-Cookie" header would be accepted:
|
|   Set-Cookie: __Secure-SID=12345; Domain=example.com; Secure

=> 

|   While the would be accepted if set from a secure origin (e.g.
|   "https://example.com/"), and rejected otherwise:
|
|   Set-Cookie: __Secure-SID=12345; Domain=example.com; Secure


Sama than on   4.1.3.2.  The "__Host-" Prefix

There is on

5.3.  Storage Model
https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-01#section-5.3

|   9.   If the scheme component of the request-uri does not denote a
|        "secure" protocol (as defined by the user agent), and the
|        cookie's secure-only-flag is true, then abort these steps and
|        ignore the cookie entirely.

/ Kari Hurtta

Received on Tuesday, 25 April 2017 17:30:09 UTC