- From: Brian Campbell <bcampbell@pingidentity.com>
- Date: Fri, 7 May 2021 13:22:41 -0600
- To: HTTP Working Group <ietf-http-wg@w3.org>
- Message-ID: <CA+k3eCQ0rxXJXuBV48H0i_wVMXw_sNxExj1nZhCPMBw+MbMs+Q@mail.gmail.com>
Looking at parts of draft-ietf-httpbis-rfc6265bis-07 today I noticed what is maybe a little inconsistency around the treatment of the default for SameSite. https://www.ietf.org/archive/id/draft-ietf-httpbis-rfc6265bis-07.html#section-4.1.2.7 has: 'If the "SameSite" attribute's value is something other than these three known keywords, the attribute's value will be subject to a default enforcement mode that is equivalent to "Lax".' and parts of https://www.ietf.org/archive/id/draft-ietf-httpbis-rfc6265bis-07.html#section-5.5 and https://www.ietf.org/archive/id/draft-ietf-httpbis-rfc6265bis-07.html#name-draft-ietf-httpbis-rfc6265bis-07 also suggest Lax as the default. As does (relatively recent) current behaviour from most/all browsers. but https://www.ietf.org/archive/id/draft-ietf-httpbis-rfc6265bis-07.html#section-5.3.7 ends with this sentence that looks like it's maybe left over from when the default enforcement mode was "None": 'Note: This algorithm maps the "None" value, as well as any unknown value, to the "None" behavior, which is helpful for backwards compatibility when introducing new variants.' -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
Received on Friday, 7 May 2021 19:23:22 UTC