Skip to main content

First-Party Sets and SameSite Cookies
draft-west-cookie-samesite-firstparty-01

Document Type Expired Internet-Draft (individual)
Expired & archived
Author Mike West
Last updated 2019-11-18 (Latest revision 2019-05-10)
RFC stream (None)
Intended RFC status (None)
Formats
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:

Abstract

This document proposes the addition of two new values to the "SameSite" cookie attribute defined in RFC6265bis [I-D.ietf-httpbis-rfc6265bis]: "FirstPartyLax" and "FirstPartyStrict". These values are conceptually similar to the existing "Lax" and "Strict" values, but base the delivery checks on the First-Party Sets [first-party-set] of a request's initiator and target, rather than on their respective registrable domains. This widens the scope of a given cookie's applicability, enabling entities that have sharded themselves across multiple registrable domains to maintain HTTP state without exposing themselves to the risks of "SameSite=None".

Authors

Mike West

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)