Cookie layering - Http prefix #3110
Open
+62
−10
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Given https://lists.w3.org/Archives/Public/ietf-http-wg/2025AprJun/0188.html, maybe we want to land __HttpOnly first while we figure out what the compounding mechanism here should be? |
|
It might be good to open an issue to discuss further, but my inclination would be that we turn this into some kind of table of prefix strings and their corresponding restrictions down the line. I don't think the combinatorial explosion is all that bad and allowing them in arbitrary order would in fact turn a simple prefix match into a parser question with all the resulting issues that come with that. |
|
Yeah, there's a discussion happening on that front in https://lists.w3.org/Archives/Public/ietf-http-wg/2025AprJun/0192.html I think we can split this into two separate things:
If that makes sense, I'm happy to turn this into (1) and open an issue to further discuss (2) |
annevk
reviewed
Jun 18, 2025
|
I like the idea of the prefix being just |
yoavweiss
changed the title
yoavweiss
changed the title
Revamped this PR to just handle the |
|
I added a checklist to OP for what remains to be done. I suppose we also need to make some assessment as to whether this has broad enough support, but I think it has from the list discussion. |
This was referenced Jun 19, 2025
|
@annevk - I tried to split out the conditions to separate algorithms, to make it easier/clearer when combining them for HostHttp. Let me know what you think. |
annevk
reviewed
Jun 20, 2025
miketaylr
reviewed
Jun 20, 2025
annevk
reviewed
Jun 23, 2025
miketaylr
approved these changes
Jun 23, 2025
aarongable
pushed a commit
to chromium/chromium
that referenced
this pull request
Jun 25, 2025
This CL implements the __Http- [1] cookie prefixes. They enable site operators to know that a certain cookie was issued with the HttpOnly attribute, and was not set by a malicious script on the client side. [1] httpwg/http-extensions#3110 Bug: 426096760 Change-Id: I13205747406a8b3c33bd9f0e60abd7526eb9490d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6638647 Reviewed-by: Maks Orlovich <[email protected]> Reviewed-by: Chris Fredrickson <[email protected]> Commit-Queue: Yoav Weiss (@Shopify) <[email protected]> Cr-Commit-Position: refs/heads/main@{#1478348}
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Jun 25, 2025
This CL implements the __Http- [1] cookie prefixes. They enable site operators to know that a certain cookie was issued with the HttpOnly attribute, and was not set by a malicious script on the client side. [1] httpwg/http-extensions#3110 Bug: 426096760 Change-Id: I13205747406a8b3c33bd9f0e60abd7526eb9490d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6638647 Reviewed-by: Maks Orlovich <[email protected]> Reviewed-by: Chris Fredrickson <[email protected]> Commit-Queue: Yoav Weiss (@Shopify) <[email protected]> Cr-Commit-Position: refs/heads/main@{#1478348}
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Jun 25, 2025
This CL implements the __Http- [1] cookie prefixes. They enable site operators to know that a certain cookie was issued with the HttpOnly attribute, and was not set by a malicious script on the client side. [1] httpwg/http-extensions#3110 Bug: 426096760 Change-Id: I13205747406a8b3c33bd9f0e60abd7526eb9490d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6638647 Reviewed-by: Maks Orlovich <[email protected]> Reviewed-by: Chris Fredrickson <[email protected]> Commit-Queue: Yoav Weiss (@Shopify) <[email protected]> Cr-Commit-Position: refs/heads/main@{#1478348}
Remove the HostHttpOnly parts and review comments Remove some more hosthttponly rename Add back HostHttp and split out conditions Update draft-ietf-httpbis-layered-cookies.md Co-authored-by: Anne van Kesteren <[email protected]> Update draft-ietf-httpbis-layered-cookies.md Co-authored-by: Anne van Kesteren <[email protected]> Move algos to misc Update draft-ietf-httpbis-layered-cookies.md Co-authored-by: Anne van Kesteren <[email protected]> Update draft-ietf-httpbis-layered-cookies.md Co-authored-by: Anne van Kesteren <[email protected]> Update draft-ietf-httpbis-layered-cookies.md Co-authored-by: Anne van Kesteren <[email protected]> Update draft-ietf-httpbis-layered-cookies.md Co-authored-by: Anne van Kesteren <[email protected]> Update draft-ietf-httpbis-layered-cookies.md Co-authored-by: Anne van Kesteren <[email protected]> Update draft-ietf-httpbis-layered-cookies.md Co-authored-by: Mike Taylor <[email protected]> Update draft-ietf-httpbis-layered-cookies.md Co-authored-by: Mike Taylor <[email protected]> know Add a path-attribute Update draft-ietf-httpbis-layered-cookies.md Co-authored-by: Anne van Kesteren <[email protected]> Update draft-ietf-httpbis-layered-cookies.md Co-authored-by: Anne van Kesteren <[email protected]> Revert incorrect default path changes has path attribute Cookie layering - HttpOnly and HostHttpOnly prefixes Remove the HostHttpOnly parts and review comments Remove some more hosthttponly rename Add back HostHttp and split out conditions Update draft-ietf-httpbis-layered-cookies.md Co-authored-by: Anne van Kesteren <[email protected]> Update draft-ietf-httpbis-layered-cookies.md Co-authored-by: Anne van Kesteren <[email protected]> Move algos to misc Update draft-ietf-httpbis-layered-cookies.md Co-authored-by: Anne van Kesteren <[email protected]> Update draft-ietf-httpbis-layered-cookies.md Co-authored-by: Anne van Kesteren <[email protected]> Update draft-ietf-httpbis-layered-cookies.md Co-authored-by: Anne van Kesteren <[email protected]> Update draft-ietf-httpbis-layered-cookies.md Co-authored-by: Anne van Kesteren <[email protected]> Update draft-ietf-httpbis-layered-cookies.md Co-authored-by: Anne van Kesteren <[email protected]> Update draft-ietf-httpbis-layered-cookies.md Co-authored-by: Mike Taylor <[email protected]> Update draft-ietf-httpbis-layered-cookies.md Co-authored-by: Mike Taylor <[email protected]> know Add a path-attribute Update draft-ietf-httpbis-layered-cookies.md Co-authored-by: Anne van Kesteren <[email protected]> Update draft-ietf-httpbis-layered-cookies.md Co-authored-by: Anne van Kesteren <[email protected]> Revert incorrect default path changes has path attribute
yoavweiss
force-pushed
the
httponly_prefix
branch
from
c17fffa to
e99314a
Compare
aarongable
pushed a commit
to chromium/chromium
that referenced
this pull request
Jun 25, 2025
Similar to [1], this adds an __HostHttp- prefix that ensures that a cookies is both Host-scoped and httpOnly. Specified in [2] [1] https://chromium-review.googlesource.com/c/chromium/src/+/6638647 [2] httpwg/http-extensions#3110 Bug: 426096760 Change-Id: Id1637331eaa3035443d005450c022b326378aeed Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6650996 Commit-Queue: Yoav Weiss (@Shopify) <[email protected]> Reviewed-by: Maks Orlovich <[email protected]> Reviewed-by: Chris Fredrickson <[email protected]> Reviewed-by: Dylan Cutler <[email protected]> Cr-Commit-Position: refs/heads/main@{#1478697}
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Jun 25, 2025
Similar to [1], this adds an __HostHttp- prefix that ensures that a cookies is both Host-scoped and httpOnly. Specified in [2] [1] https://chromium-review.googlesource.com/c/chromium/src/+/6638647 [2] httpwg/http-extensions#3110 Bug: 426096760 Change-Id: Id1637331eaa3035443d005450c022b326378aeed Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6650996 Commit-Queue: Yoav Weiss (@Shopify) <[email protected]> Reviewed-by: Maks Orlovich <[email protected]> Reviewed-by: Chris Fredrickson <[email protected]> Reviewed-by: Dylan Cutler <[email protected]> Cr-Commit-Position: refs/heads/main@{#1478697}
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Jun 25, 2025
Similar to [1], this adds an __HostHttp- prefix that ensures that a cookies is both Host-scoped and httpOnly. Specified in [2] [1] https://chromium-review.googlesource.com/c/chromium/src/+/6638647 [2] httpwg/http-extensions#3110 Bug: 426096760 Change-Id: Id1637331eaa3035443d005450c022b326378aeed Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6650996 Commit-Queue: Yoav Weiss (@Shopify) <[email protected]> Reviewed-by: Maks Orlovich <[email protected]> Reviewed-by: Chris Fredrickson <[email protected]> Reviewed-by: Dylan Cutler <[email protected]> Cr-Commit-Position: refs/heads/main@{#1478697}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
As discussed at IETF 122, this is a stab at integrating https://yoavweiss.github.io/httponly_prefix/draft-httponlyprefix-weiss-http.html with the Cookie layering processing model.