This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Talk:SameSite

From OWASP

Revision as of 15:42, 5 May 2018 by Pawel Krawczyk (talk | contribs) (re)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Jump to: navigation, search

I know browsers have implemented the SameSite attribute, but the only IETF document that defines it is draft-ietf-httpbis-rfc6265bis-02, which is expired. RFC6265 does not include the SameSite attribute. Do browsers choose to implement draft specs on their own?

It's been always the case - such minor security controls are frequently proposed and then implemented based on industry consensus, and after they're verified in the field, a RFC is created to standardize them retroactively. Pawel Krawczyk (talk) 10:42, 5 May 2018 (CDT)

Retrieved from "https://wiki.owasp.org/index.php?title=Talk:SameSite&oldid=240433"