info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Intent to Implement and ship: cookie prefixes
36 views
Skip to first unread message
Daniel Veditz
Jul 18, 2016, 7:04:39 PM7/18/16
to dev-pl...@lists.mozilla.org
The "Cookie prefix" adds restrictions to how cookies with two specific
prefixes may be used. This addresses some of the Weak Confidentiality and
Weak Integrity concerns noted by RFC 6265 (
https://tools.ietf.org/html/rfc6265#section-8.5).
Cookies whose names start with "__Secure-" or "__Host-" must have the
"secure" flag and be set over a secure connection. In addition, cookies
with the "__Host-" prefix must have a path attribute of "/" and must not
have a "domain" attribute. The prefixes are ugly, but a name collision
could break existing content; Google's testing and scanning so far have
revealed no collisions.
Implementation bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=1283368
Proposed standard:
https://tools.ietf.org/html/draft-ietf-httpbis-cookie-prefixes
Platforms: Desktop and Android.
Target Release: Firefox 50
Since this is a proposed standard the best forum for discussion would be
the public http mailing list
https://lists.w3.org/Archives/Public/ietf-http-wg/ (subscription
information available at that link)
This is implemented in Chrome 49 and Opera 36
https://www.chromestatus.com/features/4952188392570880
Chrome's Intent to Ship discussion (which links to their Intent to
implement):
https://groups.google.com/a/chromium.org/forum/#!searchin/blink-dev/%22intent$20to%22$20cookie/blink-dev/ueCrrgFX8J4/3C8CN6gEAgAJ
prefixes may be used. This addresses some of the Weak Confidentiality and
Weak Integrity concerns noted by RFC 6265 (
https://tools.ietf.org/html/rfc6265#section-8.5).
Cookies whose names start with "__Secure-" or "__Host-" must have the
"secure" flag and be set over a secure connection. In addition, cookies
with the "__Host-" prefix must have a path attribute of "/" and must not
have a "domain" attribute. The prefixes are ugly, but a name collision
could break existing content; Google's testing and scanning so far have
revealed no collisions.
Implementation bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=1283368
Proposed standard:
https://tools.ietf.org/html/draft-ietf-httpbis-cookie-prefixes
Platforms: Desktop and Android.
Target Release: Firefox 50
Since this is a proposed standard the best forum for discussion would be
the public http mailing list
https://lists.w3.org/Archives/Public/ietf-http-wg/ (subscription
information available at that link)
This is implemented in Chrome 49 and Opera 36
https://www.chromestatus.com/features/4952188392570880
Chrome's Intent to Ship discussion (which links to their Intent to
implement):
https://groups.google.com/a/chromium.org/forum/#!searchin/blink-dev/%22intent$20to%22$20cookie/blink-dev/ueCrrgFX8J4/3C8CN6gEAgAJ
0 new messages