{
+ "COOKIES": {
+ "authors": ["Johann Hofmann", "Anne van Kesteren"],
+ "href": "https://www.ietf.org/archive/id/draft-annevk-johannhof-httpbis-cookies-00.html",
+ "title": "Cookies: HTTP State Management Mechanism"
+ },
"HTTP": {
"aliasOf": "RFC9110"
},
@@ -1938,6 +1957,10 @@ not always relevant and might require different behavior.
"client" or an origin. Unless stated otherwise it is
"client".
+A request has an associated
+top-level navigation
+initiator origin, which is an origin or null. Unless stated otherwise it is null.
+
"client" is changed to an origin during
fetching. It provides a convenient way for standards to not have to set
request's origin.
@@ -2226,9 +2249,9 @@ or "object".
-A request request has a
-redirect-tainted origin if these steps
-return true:
+
To compute the redirect-taint of a
+request request, perform the following steps. They return
+"same-origin", "same-site", or "cross-site".
Assert: request's origin is not
@@ -2236,6 +2259,8 @@ return true:
Let lastURL be null.
+
Let computedTaint be "same-origin".
+
-
For each url of request's URL list:
@@ -2243,14 +2268,20 @@ return true:
If lastURL is null, then set lastURL to url and
continue.
+
If url's origin is not same site with
+ lastURL's origin and request's origin is
+ not same site with lastURL's origin, then return
+ "cross-site".
+
If url's origin is not same origin with
lastURL's origin and request's origin is
- not same origin with lastURL's origin, then return true.
+ not same origin with lastURL's origin, then set
+ computedTaint to "same-site".
- Set lastURL to url.
- Return false.
+ Return computedTaint.
If request has a redirect-tainted origin, then return
- "null".
+
If request's redirect-taint is not "same-origin",
+ then return "null".
Return request's origin,
serialized.
@@ -2362,20 +2393,20 @@ source of security bugs. Please seek security review for features that deal with
"client".
If request's mode is not "no-cors", then return
- true.
If request's client is null, then return true.
+If request's client is null, then return true.
If request's client's
policy container's
embedder policy's value is not
- "credentialless", then return true.
credentialless", then return true.
If request's origin is same origin with - request's current URL's origin and request - does not have a redirect-tainted origin, then return true.
+ request's current URL's origin and request's + redirect-taint is not "same-origin", then return true.
- Return false.
+Return false. @@ -2486,8 +2517,9 @@ this is also tracked internally using the request's timing allow service worker timing info (null or a service worker timing info), which is initially null. -
A response has an associated has-cross-origin-redirects -(a boolean), which is initially false. +
A response has an associated redirect taint
+("same-origin", "same-site", or "cross-site"), which is
+initially "same-origin".
The server can use this to adjust the caching expiry for prefetches, to disallow the prefetch, or to treat it differently when counting page visits. +
Cookie` headerThe `Cookie` header is largely defined in its own specification. [[COOKIES]].
+We define infrastructure to be able to use them conveniently here.
+
+
To append a request `Cookie` header,
+given a request request, run these steps:
+
+
If the user agent is configured to disable cookies for request, it should + return. + +
Let |sameSite| be the result of [=determining the same-site mode=] for request. + +
Let |isSecure| be false. + +
If request's client is a secure context, then set + |isSecure| to true. + +
Let |httpOnlyAllowed| be true. +
True follows from this being invoked from fetch, as opposed to the
+ document.cookie getter steps for instance.
+
+
Let |cookies| be the result of running retrieve cookies given |isSecure|, + request's current URL's host, request's + current URL's path, |httpOnlyAllowed|, and |sameSite|. + +
It is expected that the cookie store returns an ordered list of cookies + +
Cookie`, value) to
+ request's header list.
+To parse and store response
+`Set-Cookie` headers, given a request request and a
+response response, run these steps:
+
+
If the user agent is configured to disable cookies for request, + then it should return. + +
Let |allowNonHostOnlyCookieForPublicSuffix| be false. + +
Let |isSecure| be false. + +
If request's client is a secure context, set + |isSecure| to true. + +
Let |httpOnlyAllowed| be true. + +
True follows from this being invoked from fetch, as opposed to the
+ document.cookie getter steps for instance.
+
+
Let |sameSiteStrictOrLaxAllowed| be true if the result of [=determine the same-site mode=]
+ for |request| is "StrictOrLess", and false otherwise.
+
+
For each header of response's + header list: + +
If header's name is not a byte-case-insensitive match
+ for `Set-Cookie`, continue.
+
+
Parse and store a cookie given header's value, + |isSecure|, request's current URL's host, + request's current URL's path, |httpOnlyAllowed|, + |allowNonHostOnlyCookieForPublicSuffix|, and |sameSiteStrictOrLaxAllowed|. + +
Garbage collect cookies given request's + current URL's host. +
Cookie` header, and are used in other
+specifications.
+
+To determine the same-site mode for a given request request, +run these steps: + +
If request's top-level navigation initiator origin is not
+ null and is not same site to request's URL's
+ origin, return "UnsetOrLess".
+
+
If request's method is "GET" and request's
+ destination is "document", return "LaxOrLess".
+
+
If request's client's ancestry is
+ "cross-site", return "UnsetOrLess".
+
+
If request's redirect-taint is "cross-site",
+ return "UnsetOrLess".
+
+
Return "StrictOrLess".
+
To clear site cookies for origin origin, run these steps: + +
Remove all cookies that were stored with a host is either equal to |origin|'s host, + or have a registrable domain equal to |origin|'s host's registrable domain. + +
The cookie specification doesn't yet have a way to do this algorithmically, so we + settle for this definition. +
If request has a redirect-tainted origin, then set - internalResponse's has-cross-origin-redirects to true. +
Set internalResponse's redirect taint to request's + redirect-taint.
If request's timing allow failed flag is unset, then set internalResponse's timing allow passed flag. @@ -4834,7 +4992,7 @@ steps:
If fetchParams's request's mode is
not "navigate" or response's
- has-cross-origin-redirects is false:
+ redirect taint is "same-origin":
Set responseStatus to response's status. @@ -5710,21 +5868,7 @@ run these steps:
If includeCredentials is true, then:
If the user agent is not configured to block cookies for httpRequest (see - section 7 of - [[!COOKIES]]), then: - -
Let cookies be the result of running the "cookie-string" algorithm (see - section 5.4 of - [[!COOKIES]]) with the user agent's cookie store and httpRequest's - current URL. - -
Cookie`, cookies) to httpRequest's
- header list.
- Append a request `Cookie` header for httpRequest.
If httpRequest's header list @@ -6288,14 +6432,9 @@ optional boolean forceNewConnection (default false), run these steps:
If includeCredentials is true and the user agent is not
- configured to block cookies for request (see
- section 7 of
- [[!COOKIES]]), then run the "set-cookie-string" parsing algorithm (see
- section 5.2 of [[!COOKIES]]) on the
- value of each header whose name is a
- byte-case-insensitive match for `Set-Cookie` in response's
- header list, if any, and request's current URL.
+
If includeCredentials is true, the user agent should
+ parse and store response `Set-Cookie` headers given request and
+ response.
Run these steps in parallel: