…how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6265. Copyright Notice Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provision…
…MUST be removed when origin-specific data is cleared (typically, when cookies [ RFC6265 ] are cleared). 9.5 . Confusion regarding Request Scheme Some server-side HTTP applications make assumptions about security based upon connection context; for example, equating being served up…
…t unit of isolation. However, many technologies in use today, such as cookies [ RFC6265 ], pre-date the modern web origin concept. These technologies often have different isolation units, leading to vulnerabilities. One alternative is to use only the "registry-controlled" domain …
…nt unit of isolation. However, many technologies in use today, such as cookies [RFC6265] , pre-date the modern web origin concept. These technologies often have different isolation units, leading to vulnerabilities. One alternative is to use only the "registry-controlled" domain …
…t unit of isolation. However, many technologies in use today, such as cookies [ RFC6265 ], pre-date the modern web origin concept. These technologies often have different isolation units, leading to vulnerabilities. One alternative is to use only the "registry-controlled" domain …
… way that HTTP cookies allow state management for the stateless HTTP protocol [ RFC6265 ]. Cookie-like fingerprinting can also circumvent user attempts to limit or clear cookies stored by the user agent, as demonstrated by the "evercookie" implementation [ EVERCOOKIE ]. Where sta…
…cate users (using passwords or multi-factor authentication), then use Cookies [ RFC6265 ] or HTTP authentication [ RFC7617 ] for subsequent exchanges. The IdP proxy is able to access cookies, HTTP authentication or other persistent session data because it operates in the security…
…ure set. Determining whether or not a DoH implementation requires HTTP cookie [ RFC6265 ] support is particularly important because HTTP cookies are the primary state tracking mechanism in HTTP. HTTP cookies SHOULD NOT be accepted by DOH clients unless they are explicitly require…
…e ), identifiers the user can manually reset (e.g. [ENCRYPTED-MEDIA] , Cookies [RFC6265] , and [IndexedDB] ), as well as identifying hardware features the user can’t easily reset. The ability to introduce some state for an origin which persists across browsing sessions. [SERVICE-…
…the document contains a note explaining the difference. This document obsoletes RFC6265 and 6265bis. 1.1. Examples Using the Set-Cookie header field, a server can send the user agent a short string in an HTTP response that the user agent will return in future HTTP requests that a…
…entations MUST follow cookie restriction and expiry rules specified by RFC 6265 RFC6265 ]. See also the Security Considerations section of RFC 6265 , and RFC 2964 RFC2964 ]. Encryption keys are specified by URI. The delivery of these keys SHOULD be secured by a mechanism such as …
… NOT be stored in cookies that can be sent in the clear. See Section 7 and 8 of RFC6265 for security considerations about cookies. 7.1.1.3. Access token redirect An attacker uses an access token generated for consumption by one resource server to gain access to a different resour…
…t unit of isolation. However, many technologies in use today, such as cookies [ RFC6265 ], pre-date the modern web origin concept. These technologies often have different isolation units, leading to vulnerabilities. One alternative is to use only the "registry-controlled" domain …
… cookies that can be sent in the clear. See "HTTP State Management Mechanism" [ RFC6265 ] for security considerations about cookies. In some deployments, including those utilizing load balancers, the TLS connection to the resource server terminates prior to the actual server that…
…n cookies that can be sent in the clear. See "HTTP State Management Mechanism" [RFC6265] for security considerations about cookies. In some deployments, including those utilizing load balancers, the TLS connection to the resource server terminates prior to the actual server that …