From 7a09b52c98ac8d840a8a9907b1a1d9a9e684bcf5 Mon Sep 17 00:00:00 2001 From: Daniel Gustafsson Date: Thu, 13 Dec 2018 09:57:58 +0100 Subject: cookies: leave secure cookies alone Only allow secure origins to be able to write cookies with the 'secure' flag set. This reduces the risk of non-secure origins to influence the state of secure origins. This implements IETF Internet-Draft draft-ietf-httpbis-cookie-alone-01 which updates RFC6265. Closes #2956 Reviewed-by: Daniel Stenberg --- docs/HTTP-COOKIES.md | 4 +++- docs/TODO | 8 -------- 2 files changed, 3 insertions(+), 9 deletions(-) (limited to 'docs') diff --git a/docs/HTTP-COOKIES.md b/docs/HTTP-COOKIES.md index a1b283454..66e39d232 100644 --- a/docs/HTTP-COOKIES.md +++ b/docs/HTTP-COOKIES.md @@ -18,7 +18,9 @@ original [Netscape spec from 1994](https://curl.haxx.se/rfc/cookie_spec.html). In 2011, [RFC6265](https://www.ietf.org/rfc/rfc6265.txt) was finally - published and details how cookies work within HTTP. + published and details how cookies work within HTTP. In 2017, an update was + [drafted](https://tools.ietf.org/html/draft-ietf-httpbis-cookie-alone-01) + to deprecate modification of 'secure' cookies from non-secure origins. ## Cookies saved to disk diff --git a/docs/TODO b/docs/TODO index f7fd722a8..e0d8ed68f 100644 --- a/docs/TODO +++ b/docs/TODO @@ -73,7 +73,6 @@ 5.5 auth= in URLs 5.6 Refuse "downgrade" redirects 5.7 QUIC - 5.8 Leave secure cookies alone 6. TELNET 6.1 ditch stdin @@ -605,13 +604,6 @@ implemented. This, to allow other projects to benefit from the work and to thus broaden the interest and chance of others to participate. -5.8 Leave secure cookies alone - - Non-secure origins (HTTP sites) should not be allowed to set or modify - cookies with the 'secure' property: - - https://tools.ietf.org/html/draft-ietf-httpbis-cookie-alone-01 - 6. TELNET -- cgit v1.2.3