[http-state] Apps area review of draft-ietf-httpstate-cookie-19
Lisa Dusseault <lisa.dusseault@gmail.com> Sun, 05 December 2010 18:04 UTC
Return-Path: <lisa.dusseault@gmail.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 78AEF28C115; Sun, 5 Dec 2010 10:04:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jpwh8YDRZzJG; Sun, 5 Dec 2010 10:04:11 -0800 (PST)
Received: from mail-wy0-f172.google.com (mail-wy0-f172.google.com [74.125.82.172]) by core3.amsl.com (Postfix) with ESMTP id 29AFF28C0E3; Sun, 5 Dec 2010 10:04:11 -0800 (PST)
Received: by wyf23 with SMTP id 23so10463965wyf.31 for <multiple recipients>; Sun, 05 Dec 2010 10:05:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type; bh=xkXrm0yuB0mnL9fKcGExgQaj7eEMf+A6rVsqxfkY3c4=; b=pkOquRYJ0tadtPOk8DIxcm6Om3Dta8X5s47i6Yuqwg8Q6sr+timtMyufuAUUKAA9QJ NnEgpyE+KVz2eBJbU+rqZVcODhNRbi50s1ffOOI9AIZ0GlWT5JGb/i93E4H3rfAxb9hp lkB1SGD6t+qR85hPNxYmJylkPFRkV35YzQKfY=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=FHjqKBqYTVDwYCBXcLzfclB1Y7EPMv6zqmy39ZzGmQo+4YW8e8FckBt543DBEqs6u0 uqIC2sb9Dmq3qjZRt+HHzGAsf811O1wRLDhD17cig3XQPq5go2xr2w1dEFqy9fapaWka gdQTm8yHKxicuY18ato6eM1Ffv2I8EcCPmvME=
MIME-Version: 1.0
Received: by 10.216.231.160 with SMTP id l32mr1647171weq.98.1291572330371; Sun, 05 Dec 2010 10:05:30 -0800 (PST)
Received: by 10.216.30.131 with HTTP; Sun, 5 Dec 2010 10:05:30 -0800 (PST)
Date: Sun, 05 Dec 2010 10:05:30 -0800
Message-ID: <AANLkTinsO=YNNe701VUZjgpmTCjHAbeDNUiG=rv6dq+x@mail.gmail.com>
From: Lisa Dusseault <lisa.dusseault@gmail.com>
To: Alexey Melnikov <alexey.melnikov@isode.com>, SM <sm+ietf@elandsys.com>, Peter Saint-Andre <stpeter@gmail.com>, apps-discuss@ietf.org, ietf@adambarth.com, http-state@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"
X-Mailman-Approved-At: Wed, 15 Dec 2010 08:54:09 -0800
Subject: [http-state] Apps area review of draft-ietf-httpstate-cookie-19
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 05 Dec 2010 18:04:12 -0000
Hi Adam and others, I have been selected as the Applications Area Review Team reviewer for this draft (for background on apps-review, please see http://www.apps.ietf.org/content/applications-area-review-team). Document: draft-ietf-httpstate-cookie-19 Title: HTTP State Management Mechanism Reviewer: Lisa Dusseault Review Date: Dec 5, 2010 IETF Last Call Date: 2010-11-29 IESG Telechat Date: 2010-12-16] Summary: I recommend this document for publication. The document alone is quite valuable, and the actions to register headers and mark other documents as historic makes it even more useful to the Internet community. I also found this document had strong investigation, discussion and reviews in its history. Major Issues: None Minor Issues: Section 3. "Origin servers can send a Set-Cookie response header with any response.". Do we happen to know if it's more common for user agents to handle, or ignore Set-Cookie response headers on error responses? I'd be surprised if user-agents do handle them including on 500-level, 400-level and particularly on a 100 Continue response, but I haven't tested it. Is it part of your tests? So while this statement is factual, it might not help servers much. If my assumption about some clients ignoring the header on some classes of responses is correct, I would add that information to the document in a non-normative sentence. Section 4. As a matter of taste, my choice would be to make it even more clear that third-party cookie protections erected by user agents cannot provide the desired protection from cooperating servers. E.g. "No limitations on cookie use can prevent cooperating servers from injecting identifying information in dynamic URLs." Thank-you, Lisa Dusseault
- Re: [http-state] Apps area review of draft-ietf-h… Adam Barth
- [http-state] Apps area review of draft-ietf-https… Lisa Dusseault