{
+ "COOKIES": {
+ "authors": ["Johann Hofmann", "Anne van Kesteren"],
+ "href": "https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-layered-cookies",
+ "title": "Cookies: HTTP State Management Mechanism"
+ },
"HTTP": {
"aliasOf": "RFC9110"
},
@@ -1942,6 +1961,10 @@ not always relevant and might require different behavior.
fetching. It provides a convenient way for standards to not have to set
request's origin.
+A request has an associated
+top-level navigation initiator origin, which is an origin
+or null. Unless stated otherwise it is null.
+
A request has an associated
policy container, which is
"client" or a policy container. Unless stated otherwise it is
@@ -2226,9 +2249,9 @@ or "object".
-A request request has a
-redirect-tainted origin if these steps
-return true:
+
To compute the redirect-taint of a
+request request, perform the following steps. They return
+"same-origin", "same-site", or "cross-site".
Assert: request's origin is not
@@ -2236,6 +2259,8 @@ return true:
Let lastURL be null.
+
Let computedTaint be "same-origin".
+
-
For each url of request's URL list:
@@ -2243,14 +2268,20 @@ return true:
If lastURL is null, then set lastURL to url and
continue.
+
If url's origin is not same site with
+ lastURL's origin and request's origin is
+ not same site with lastURL's origin, then return
+ "cross-site".
+
If url's origin is not same origin with
lastURL's origin and request's origin is
- not same origin with lastURL's origin, then return true.
+ not same origin with lastURL's origin, then set
+ computedTaint to "same-site".
-
- Set lastURL to url.
+
Set lastURL to url.
- Return false.
+ Return computedTaint.
If request has a redirect-tainted origin, then return
- "null".
+
If request's redirect-taint is not "same-origin",
+ then return "null".
Return request's origin,
serialized.
@@ -2362,20 +2393,20 @@ source of security bugs. Please seek security review for features that deal with
"client".
If request's mode is not "no-cors", then return
- true.
If request's client is null, then return true.
+If request's client is null, then return true.
If request's client's
policy container's
embedder policy's value is not
- "credentialless", then return true.
credentialless", then return true.
If request's origin is same origin with - request's current URL's origin and request - does not have a redirect-tainted origin, then return true.
+ request's current URL's origin and request's + redirect-taint is not "same-origin", then return true.
- Return false.
+Return false. @@ -2486,8 +2517,9 @@ this is also tracked internally using the request's timing allow service worker timing info (null or a service worker timing info), which is initially null. -
A response has an associated has-cross-origin-redirects -(a boolean), which is initially false. +
A response has an associated redirect taint
+("same-origin", "same-site", or "cross-site"), which is
+initially "same-origin".
The `Cookie` request header and `Set-Cookie` response headers are
+largely defined in their own specifications. We define additional infrastructure to be able to use
+them conveniently here. [[COOKIES]].
+
+
+
Cookie` headerTo append a request `Cookie` header, given a request
+request:
+
+
If the user agent is configured to disable cookies for request, then it should + return. + +
Let |sameSite| be the result of [=determining the same-site mode=] for request. + +
Let |isSecure| be true if request's current URL's
+ scheme is "https"; otherwise false.
+
+
Let |httpOnlyAllowed| be true. + +
True follows from this being invoked from fetch, as opposed to the
+ document.cookie getter steps for instance.
+
+
Let |cookies| be the result of running retrieve cookies given |isSecure|, + request's current URL's host, request's + current URL's path, |httpOnlyAllowed|, and |sameSite|. + +
The cookie store returns an ordered list of cookies + +
If |cookies| is empty, then return. + +
Let |value| be the result of running serialize cookies given |cookies|. + +
Append (`Cookie`, value) to
+ request's header list.
+
Set-Cookie` headerTo parse and store response `Set-Cookie` headers, given a
+request request and a response response:
+
+
If the user agent is configured to disable cookies for request, then it should + return. + +
Let |allowNonHostOnlyCookieForPublicSuffix| be false. + +
Let |isSecure| be true if request's current URL's
+ scheme is "https"; otherwise false.
+
+
Let |httpOnlyAllowed| be true. + +
True follows from this being invoked from fetch, as opposed to the
+ document.cookie getter steps for instance.
+
+
Let |sameSiteStrictOrLaxAllowed| be true if the result of [=determine the same-site mode=]
+ for |request| is "strict-or-less"; otherwise false.
+
+
For each header of response's + header list: + +
If header's name is not a byte-case-insensitive match
+ for `Set-Cookie`, then continue.
+
+
Parse and store a cookie given header's value, + |isSecure|, request's current URL's host, + request's current URL's path, |httpOnlyAllowed|, + |allowNonHostOnlyCookieForPublicSuffix|, and |sameSiteStrictOrLaxAllowed|. + +
Garbage collect cookies given request's current URL's + host. +
As noted elsewhere the `Set-Cookie` header cannot be combined and
+ therefore each occurrence is processed independently. This is not allowed for any other header.
+
To determine the same-site mode for a given request request: + +
If request's top-level navigation initiator origin is not
+ null and is not same site with request's URL's
+ origin, then return "unset-or-less".
+
+
If request's method is "GET" and
+ request's destination is "document", then return
+ "lax-or-less".
+
+
If request's client's
+ has cross-site ancestor is true, then return "unset-or-less".
+
+
If request's redirect-taint is "cross-site", then
+ return "unset-or-less".
+
+
Return "strict-or-less".
+
The algorithm below defines fetching. In broad strokes, it takes @@ -4680,8 +4833,8 @@ steps: -
If request has a redirect-tainted origin, then set - internalResponse's has-cross-origin-redirects to true. +
Set internalResponse's redirect taint to request's + redirect-taint.
If request's timing allow failed flag is unset, then set internalResponse's timing allow passed flag. @@ -4834,7 +4987,7 @@ steps:
If fetchParams's request's mode is
not "navigate" or response's
- has-cross-origin-redirects is false:
+ redirect taint is "same-origin":
Set responseStatus to response's status. @@ -5710,21 +5863,7 @@ run these steps:
If includeCredentials is true, then:
If the user agent is not configured to block cookies for httpRequest (see - section 7 of - [[!COOKIES]]), then: - -
Let cookies be the result of running the "cookie-string" algorithm (see - section 5.4 of - [[!COOKIES]]) with the user agent's cookie store and httpRequest's - current URL. - -
Cookie`, cookies) to httpRequest's
- header list.
- Append a request `Cookie` header for httpRequest.
If httpRequest's header list @@ -6288,14 +6427,9 @@ optional boolean forceNewConnection (default false), run these steps:
If includeCredentials is true and the user agent is not
- configured to block cookies for request (see
- section 7 of
- [[!COOKIES]]), then run the "set-cookie-string" parsing algorithm (see
- section 5.2 of [[!COOKIES]]) on the
- value of each header whose name is a
- byte-case-insensitive match for `Set-Cookie` in response's
- header list, if any, and request's current URL.
+
If includeCredentials is true, then the user agent should
+ parse and store response `Set-Cookie` headers given request and
+ response.
Run these steps in parallel: