RFC6265bis Tests

SameSite Cookies

draft-ietf-httpbis-cookie-same-site defines a SameSite attribute which allows servers to mitigate the risk of cross-site request forgery attacks, and some kinds of cross-origin information leakage.

Test Suite Chrome Firefox
(#795346)
Safari
(#159464)
Edge
(#201)
51525354
Basics fetch() 7/12 7/12 12/12 12/12 0/12 0/12 0/12
<form method="GET" target="_blank"> 12/12 12/12 12/12 12/12 0/12 0/12 0/12
<form method="POST" target="_blank"> 12/12 12/12 12/12 12/12 0/12 0/12 0/12
<iframe> 12/12 12/12 12/12 12/12 0/12 0/12 0/12
<img> 12/12 12/12 12/12 12/12 0/12 0/12 0/12
window.open() 12/12 12/12 12/12 12/12 0/12 0/12 0/12
reload() <form method="GET" target="_blank"> 2/3 2/3 2/3 2/3 0/3 0/3 0/3
<form method="POST" target="_blank"> 2/3 2/3 2/3 2/3 0/3 0/3 0/3
<iframe> 2/3 2/3 2/3 2/3 0/3 0/3 0/3
window.open() 2/3 2/3 2/3 2/3 0/3 0/3 0/3

"Leave Secure Cookies Alone!"

draft-ietf-httpbis-cookie-alone updates RFC6265 by removing a non-secure origin's ability to set cookies with a secure flag, and to overwrite cookies whose secure flag is set. This deprecation improves the isolation between HTTP and HTTPS origins, and reduces the risk of malicious interference.

Test Suite Chrome Firefox
(#976073)
Safari
(#TBD)
Edge
(#TBD)
51525354
set/read
secure cookie
from HTTP
0/4 0/4 0/4 0/4 0/4 0/4 0/4

Cookie Prefixes

draft-ietf-httpbis-cookie-prefixes updates RFC6265 by by adding a set of restrictions upon the names which may be used for cookies with specific properties. These restrictions enable user agents to smuggle cookie state to the server within the confines of the existing Cookie request header syntax, and limits the ways in which cookies may be abused in a conforming user agent.

Test Suite Chrome Firefox
(#976073)
Safari
(#TBD)
Edge
(#TBD)
51525354
__Secure- document.cookie
non-secure origin
8/8 8/8 8/8 8/8 5/8 (no fetch()) 5/8
Set-Cookie
non-secure origin
8/8 8/8 8/8 8/8 1/8 (no fetch()) 1/8
__Host- document.cookie
non-secure origin
9/9 9/9 9/9 9/9 6/9 (no fetch()) 6/9
Set-Cookie
non-secure origin
9/9 9/9 9/9 9/9 1/9 (no fetch()) 1/9