]> HttpOnly cookie prefix Shopify
yoav@yoav.ws
Shopify
matthew.o.metzger@gmail.com
next generation unicorn sparkling distributed ledger This draft introduces the __HttpOnly and __HostHttpOnly cookie name prefixes that ensure the cookie was set with an HttpOnly attribute. About This Document The latest revision of this draft can be found at . Status information for this document may be found at . Source for this draft and an issue tracker can be found at .
Introduction There are cases where it's important to distinguish on the server side between cookies that were set by the server and ones that were set by the client. One such case is cookies that are normally always set by the server, unless some unexpected code (an XSS exploit, a malicious extension, a commit from a confused developer, etc.) happens to set them on the client. This draft add a signal that would enable servers to make such a distinction. More specifically, it defines the __HttpOnly and __HostHttpOnly prefixes, that make sure that a cookie is not set on the client side using script.
Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.
Server Requirements These requirements apply to cookies set in Set-Cookie response headers by the server, as well as ones received in a Cookie request header from the client.
Cookie Name Prefixes
The "__HttpOnly-" prefix
Cookie creation If a server creates a cookie whose name begins with a case-sensitive match for the string __HttpOnly-, then all the following MUST be true:
  1. The Set-Cookie HTTP header MUST include the Secure attribute.
  2. The Set-Cookie HTTP header MUST include the HttpOnly attribute.
Cookie processing If a server processes a cookie received in a Cookie request header whose name begins with a case-sensitive match for the string __HttpOnly-, this indicates that all the following are true:
  1. The cookie was originally created using a Set-Cookie HTTP header sent from this server.
  2. The Set-Cookie HTTP header included the Secure attribute.
  3. The Set-Cookie HTTP header included the HttpOnly attribute.
The "__HostHttpOnly-" prefix
Cookie creation If a server uses a Set-Cookie HTTP header to create a cookie whose name begins with a case-sensitive match for the string __HostHttpOnly-, then all the following MUST be true:
  1. The Set-Cookie HTTP header MUST include the Secure attribute.
  2. The Set-Cookie HTTP header MUST include the HttpOnly attribute.
  3. The Set-Cookie HTTP header MUST include the Path attribute with a value of /.
  4. The Set-Cookie HTTP header MUST NOT include the Domain attribute.
Cookie processing If a server processes a cookie received in a Cookie request header whose name begins with a case-sensitive match for the string __HostHttpOnly-, this indicates that all the following are true:
  1. The cookie was originally created using a Set-Cookie HTTP header sent from this server
  2. The Set-Cookie HTTP header included the Secure attribute.
  3. The Set-Cookie HTTP header included the HttpOnly attribute.
  4. The Set-Cookie HTTP header included the Path attribute with a value of /.
  5. The Set-Cookie HTTP header did not include the Domain attribute.
User Agent Requirements These requirements apply to cookies received in a Set-Cookie response header from the server.
Cookie Name Prefixes User agents' requirements for cookie name prefixes differ slightly from servers', as UAs MUST match the prefix string case-insensitively.
Storage Model Add the following steps after step 21 of section 5.7 in .
  1. If the cookie-name begins with a case-insensitive match for the string "__HttpOnly-",
    1. Abort these steps and ignore the cookie entirely unless all the following conditions are true:
      1. The cookie's secure-only-flag is true.
      2. The cookie's http-only-flag is true.
      3. The cookie-attribute-list contains an attribute with an attribute-name of "Path", and the cookie's path is "/".
  2. If the cookie-name begins with a case-insensitive match for the string "__HostHttpOnly-",
    1. Abort these steps and ignore the cookie entirely unless all the following conditions are true:
      1. The cookie's secure-only-flag is true.
      2. The cookie's http-only-flag is true.
      3. The cookie's host-only-flag is true.
      4. The cookie-attribute-list contains an attribute with an attribute-name of "Path", and the cookie's path is "/".
      5. The cookie-attribute-list does not contain an attribute with an attribute-name of "Domain".
Security Considerations There are no particular security considerations. These new prefixes will only limit the ability of non-compliant cookies to be set. They do not open up new capabilities for server to set cookies where they previously could not.
IANA Considerations This document has no IANA actions.
Normative References Cookies HTTP State Management Mechanism Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.
Acknowledgments Thanks to Rory Hewitt for his contributions to this draft. TODO acknowledge.