Steven Bingler
Steven Bingler
The spec should specify how `document.cookie` serializes cookie octets into a cookie-string (To my untrained eye it looks like the existing document.cookie section does something like this, but I'm not...
A number of cookies attributes accept values which must conform to some requirement of the attribute. These values can be more freeform such as `Domain` or `Path` or must be...
Sparked from: https://github.com/web-platform-tests/wpt/issues/26123 [6265bis-06](https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-06) doesn't seem to have any instructions on how to handle cookies set on/by localhost. More specifically for this issue: how the Domain attribute should be handled....
Modify the cookie storage algorithm to reject cookies that: - Do not have a name - Have values that look like cookie prefixes As mentioned in #2229, malicious servers can...
Closes #2104 This PR removes the requirement of checking the request's redirect chain during the computation of same-site-ness. This is being done because RFC6265bis is blocked by this work but...
This requirement was removed in https://github.com/httpwg/http-extensions/pull/2750 for web compatibility reasons. We would like to add this requirement back. See also #2104
https://github.com/httpwg/http-extensions/pull/2480 updated 6265bis with new HTML terminology, but "target browsing context" wasn't yet changed. whatwg/html#8463 is tracking that work and once it is fixed then 6265bis can use the updated...
This PR is a WIP while waiting on data to show us that this is the correct approach. Until https://github.com/httpwg/http-extensions/pull/1348, the spec mistakenly didn't define the same-site-ness to include the...
The current OBC monkey patch doesn't specify the changes to the cookie eviction order. It should specify that Domain cookies should be evicted before host cookies Non-secure cookies should be...
Closes #2352 Summarizes all the major changes from 6265bis, replacing the existing draft-by-draft change log.