This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Talk:SameSite"
From OWASP
(asking about expired rfc6265bis which is the only doc to define SameSite) |
(re) |
||
Line 1: | Line 1: | ||
I know browsers have implemented the SameSite attribute, but the only IETF document that defines it is draft-ietf-httpbis-rfc6265bis-02, which is expired. RFC6265 does not include the SameSite attribute. Do browsers choose to implement draft specs on their own? | I know browsers have implemented the SameSite attribute, but the only IETF document that defines it is draft-ietf-httpbis-rfc6265bis-02, which is expired. RFC6265 does not include the SameSite attribute. Do browsers choose to implement draft specs on their own? | ||
+ | * It's been always the case - such minor security controls are frequently proposed and then implemented based on industry consensus, and after they're verified in the field, a RFC is created to standardize them retroactively. [[User:Pawel Krawczyk|Pawel Krawczyk]] ([[User talk:Pawel Krawczyk|talk]]) 10:42, 5 May 2018 (CDT) |
Revision as of 15:42, 5 May 2018
I know browsers have implemented the SameSite attribute, but the only IETF document that defines it is draft-ietf-httpbis-rfc6265bis-02, which is expired. RFC6265 does not include the SameSite attribute. Do browsers choose to implement draft specs on their own?
- It's been always the case - such minor security controls are frequently proposed and then implemented based on industry consensus, and after they're verified in the field, a RFC is created to standardize them retroactively. Pawel Krawczyk (talk) 10:42, 5 May 2018 (CDT)