Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RFC6265bis, Editorial]: Actually use example TLD. #1035

Merged
merged 1 commit into from
Jan 21, 2020
Merged

[RFC6265bis, Editorial]: Actually use example TLD. #1035

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions draft-ietf-httpbis-rfc6265bis.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -329,7 +329,7 @@ in Section 4.2.1 of {{RFC7231}}.
The term "public suffix" is defined in a note in Section 5.3 of {{RFC6265}} as
"a domain that is controlled by a public registry", and are also known as
"effective top-level domains" (eTLDs). For example, `site.example`'s public
suffix is `com`. User agents SHOULD use an up-to-date public suffix list,
suffix is `example`. User agents SHOULD use an up-to-date public suffix list,
such as the one maintained by Mozilla at {{PSL}}.

An origin's "registered domain" is the origin's host's public suffix plus the
Expand Down Expand Up @@ -1378,8 +1378,8 @@ user agent MUST process the cookie as follows:

NOTE: A "public suffix" is a domain that is controlled by a public registry,
such as "com", "co.uk", and "pvt.k12.wy.us". This step is essential for
preventing attacker.com from disrupting the integrity of site.example by
setting a cookie with a Domain attribute of "com". Unfortunately, the set
preventing `attacker.example` from disrupting the integrity of `site.example`
by setting a cookie with a Domain attribute of "example". Unfortunately, the set
of public suffixes (also known as "registry controlled domains") changes
over time. If feasible, user agents SHOULD use an up-to-date public suffix
list, such as the one maintained by the Mozilla project at
Expand Down Expand Up @@ -1956,7 +1956,7 @@ webmail provider `https://site.example/`. They might expect that clicking on an
emailed link to `https://projects.example/secret/project` would show them the secret
project that they're authorized to see, but if `projects.example` has marked their
session cookies as `SameSite`, then this cross-site navigation won't send them
along with the request. `projects.com` will render a 404 error to avoid leaking
along with the request. `projects.example` will render a 404 error to avoid leaking
secret information, and the user will be quite confused.

Developers can avoid this confusion by adopting a session management system that
Expand Down