> On 26 Jun 2026, at 00:50, Aaron Parecki <[email protected]> > wrote: > > Hi all, > > As you probably know, the "OAuth for Browser-Based Apps BCP" document has > been stuck in the editor's queue for almost a year waiting on the publication > of RFC6265bis. In the meantime, the HTTPbis working group has revised the > recommendation in RFC6265bis that we reference, changing the recommendation > from prefixing cookies with "__Host-" to "__Host-Http-" in a new document > draft-ietf-httpbis-layered-cookies.
From what I can see, they've not changed it, they've introduced another set of prefixes. The __Host- prefix still exists, it just doesn't require the HttpOnly flag on cookies that are set. Given that the BCP already says HttpOnly is a MUST, I'm not sure what this adds? Does anyone know why the HTTPBis WG added these new prefixes? The old ones address known concrete security gaps, but I don't see an attack that this new prefix prevents. -- Neil _______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
