{
+ "COOKIES": {
+ "authors": ["Johann Hofmann", "Anne van Kesteren"],
+ "href": "https://www.ietf.org/archive/id/draft-annevk-johannhof-httpbis-cookies-00.html",
+ "title": "Cookies: HTTP State Management Mechanism"
+ },
"HTTP": {
"aliasOf": "RFC9110"
},
@@ -1938,6 +1956,10 @@ not always relevant and might require different behavior.
"client" or an origin. Unless stated otherwise it is
"client".
+A request has an associated
+top-level navigation
+initiator origin, which is an origin or null. Unless stated otherwise it is null.
+
"client" is changed to an origin during
fetching. It provides a convenient way for standards to not have to set
request's origin.
@@ -2226,9 +2248,9 @@ or "object".
-A request request has a
-redirect-tainted origin if these steps
-return true:
+
A request has a redirect-taint,
+which is "same-origin", "same-site", or "cross-site".
+
To get request request's redirect-taint:
Assert: request's origin is not
@@ -2236,6 +2258,8 @@ return true:
Let lastURL be null.
+
Let computedTaint be "same-origin".
+
-
For each url of request's URL list:
@@ -2243,14 +2267,20 @@ return true:
If lastURL is null, then set lastURL to url and
continue.
+
If url's origin is not same site with
+ lastURL's origin and request's origin is
+ not same site with lastURL's origin, then return
+ "cross-site".
+
If url's origin is not same origin with
lastURL's origin and request's origin is
- not same origin with lastURL's origin, then return true.
+ not same origin with lastURL's origin, then set
+ computedTaint to "same-site".
- Set lastURL to url.
- Return false.
+ Return computedTaint.
@@ -2262,8 +2292,8 @@ run these steps:
If request has a redirect-tainted origin, then return
- "null".
+
If request's redirect-taint is not "same-origin",
+ then return "null".
Return request's origin,
serialized.
@@ -2372,8 +2402,8 @@ source of security bugs. Please seek security review for features that deal with
"credentialless", then return true.
If request's origin is same origin with - request's current URL's origin and request - does not have a redirect-tainted origin, then return true.
+ request's current URL's origin and request's + redirect-taint is not "same-origin", then return true.
Return false.
@@ -2486,8 +2516,9 @@ this is also tracked internally using the request's timing allow service worker timing info (null or a service worker timing info), which is initially null. -A response has an associated has-cross-origin-redirects -(a boolean), which is initially false. +
A response has an associated redirect taint
+("same-origin", "same-site", or "cross-site", which is
+initially "same-origin".
The server can use this to adjust the caching expiry for prefetches, to disallow the prefetch, or to treat it differently when counting page visits. +
Cookie` headerThe `Cookie` header is largely defined in its own specification. [[COOKIES]].
+We define infrastructure to be able to use them conveniently here.
+
+
To append a request `Cookie` header,
+given a request request, run these steps:
+
+
If the user-agent is configured to disable cookies for request, it should + return. + +
Let |sameSite| be the result of [=determining the same-site mode=] for request. + +
Let |isSecure| be false. + +
If request's client is a secure context, then set + |isSecure| to true. + +
Let |httpOnlyAllowed| be true. + +
Fetch implies that the request is http-only, as opposed to document.cookie + +
Let |cookies| be the result of running retrieve cookies given |isSecure|, + request's current URL's host, request's + current URL's path, |httpOnlyAllowed|, and |sameSite| + +
It is expected that the cookie store returns an ordered list of cookies + +
Cookie`, value) to
+ request's header list.
+To parse and store response
+`Set-Cookie` headers, given a request request and a response response, run these steps:
+
+
If the user-agent is configured to disable cookies for request, it should + return. +
Let |allowNonHostOnlyCookieForPublicSuffix| be false. + +
Let |isSecure| be false. + +
If request's client is a secure context, set + |isSecure| to true. + +
Let |httpOnlyAllowed| be true. + +
Fetch implies that the request is http-only, as opposed to document.cookie + +
Let |sameSiteStrictOrLaxAllowed| be true if the result of [=determine the same-site mode=]
+ for |request| is "StrictOrLess", and false otherwise.
+
+
For each header of response's header + list: + +
If header's name is not a byte-case-insensitive match
+ for `Set-Cookie`, continue.
+
+
Parse and store a cookie given header's value, + |isSecure|, request's current URL's host, + request's current URL's path, |httpOnlyAllowed|, + |allowNonHostOnlyCookieForPublicSuffix|, and |sameSiteStrictOrLaxAllowed| +
To determine the same-site mode for a given request request, +run these steps: + +
If request's top-level navigation initiator origin is not
+ null and is not same site to request's URL's
+ origin, return "UnsetOrLess".
+
+
If request's method is "GET" and request's destination is "document", return "LaxOrLess".
+
+
If request's client's ancestry is
+ "cross-site", return "UnsetOrLess".
+
+
If request's redirect-taint is "cross-site",
+ return "UnsetOrLess".
+
+
Return "StrictOrLess". +
If request has a redirect-tainted origin, then set - internalResponse's has-cross-origin-redirects to true. +
Set internalResponse's redirect taint to request's + redirect-taint.
If request's timing allow failed flag is unset, then set internalResponse's timing allow passed flag. @@ -4834,7 +4966,7 @@ steps:
If fetchParams's request's mode is
not "navigate" or response's
- has-cross-origin-redirects is false:
+ redirect taint is "same-origin":
Set responseStatus to response's status. @@ -5710,21 +5842,7 @@ run these steps:
If includeCredentials is true, then:
If the user agent is not configured to block cookies for httpRequest (see - section 7 of - [[!COOKIES]]), then: - -
Let cookies be the result of running the "cookie-string" algorithm (see - section 5.4 of - [[!COOKIES]]) with the user agent's cookie store and httpRequest's - current URL. - -
Cookie`, cookies) to httpRequest's
- header list.
- Append a request `Cookie` header for httpRequest.
If httpRequest's header list @@ -6288,14 +6406,9 @@ optional boolean forceNewConnection (default false), run these steps:
If includeCredentials is true and the user agent is not
- configured to block cookies for request (see
- section 7 of
- [[!COOKIES]]), then run the "set-cookie-string" parsing algorithm (see
- section 5.2 of [[!COOKIES]]) on the
- value of each header whose name is a
- byte-case-insensitive match for `Set-Cookie` in response's
- header list, if any, and request's current URL.
+
If includeCredentials is true, the user agent should parse and
+ store response `Set-Cookie` headers given request and
+ response.
Run these steps in parallel: