W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2021

inconsistency in draft-ietf-httpbis-rfc6265bis-07 SameSite default treatment?

From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 7 May 2021 13:22:41 -0600
Message-ID: <CA+k3eCQ0rxXJXuBV48H0i_wVMXw_sNxExj1nZhCPMBw+MbMs+Q@mail.gmail.com>
To: HTTP Working Group <ietf-http-wg@w3.org>
Looking at parts of draft-ietf-httpbis-rfc6265bis-07 today I noticed what
is maybe a little inconsistency around the treatment of the default for
SameSite.

https://www.ietf.org/archive/id/draft-ietf-httpbis-rfc6265bis-07.html#section-4.1.2.7
has:
'If the "SameSite" attribute's value is something other than these three
known keywords, the attribute's value will be subject to a default
enforcement mode that is equivalent to "Lax".'
and parts of
https://www.ietf.org/archive/id/draft-ietf-httpbis-rfc6265bis-07.html#section-5.5
and
https://www.ietf.org/archive/id/draft-ietf-httpbis-rfc6265bis-07.html#name-draft-ietf-httpbis-rfc6265bis-07
also suggest Lax as the default. As does (relatively recent) current
behaviour from most/all browsers.

but
https://www.ietf.org/archive/id/draft-ietf-httpbis-rfc6265bis-07.html#section-5.3.7
ends with this sentence that looks like it's maybe left over from when the
default enforcement mode was "None":
'Note: This algorithm maps the "None" value, as well as any unknown value,
to the "None" behavior, which is helpful for backwards compatibility when
introducing new variants.'

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._
Received on Friday, 7 May 2021 19:23:22 UTC

This archive was generated by hypermail 2.4.0 : Friday, 7 May 2021 19:23:23 UTC