This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Talk:SameSite

From OWASP
Jump to: navigation, search

I know browsers have implemented the SameSite attribute, but the only IETF document that defines it is draft-ietf-httpbis-rfc6265bis-02, which is expired. RFC6265 does not include the SameSite attribute. Do browsers choose to implement draft specs on their own?

  • It's been always the case - such minor security controls are frequently proposed and then implemented based on industry consensus, and after they're verified in the field, a RFC is created to standardize them retroactively. Pawel Krawczyk (talk) 10:42, 5 May 2018 (CDT)

I would not include languages here as this is more about the feature. You can set cookie attributes in every language and most web servers, proxies or WAFs can set attributes as well. If we start mentioning for every cookie attribute or header how to implement it, it's getting tough to read and becomes a maintenance nightmare. User:Dirk_Wetter, 2018/17/12, 2pm CET