Re: [http-state] Updated draft

Daniel Stenberg <daniel@haxx.se> Sun, 16 August 2009 20:42 UTC

Return-Path: <daniel@haxx.se>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id ECA2A28C13C for <http-state@core3.amsl.com>; Sun, 16 Aug 2009 13:42:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[AWL=-1.338, BAYES_05=-1.11, HELO_EQ_SE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w7+yEWZhH8QT for <http-state@core3.amsl.com>; Sun, 16 Aug 2009 13:42:21 -0700 (PDT)
Received: from kluster1.contactor.se (kluster1.contactor.se [91.191.140.11]) by core3.amsl.com (Postfix) with ESMTP id 42DA228C0F4 for <http-state@ietf.org>; Sun, 16 Aug 2009 13:42:20 -0700 (PDT)
Received: from linux2.contactor.se (linux2.contactor.se [91.191.140.14]) by kluster1.contactor.se (8.13.8/8.13.8/Debian-3) with ESMTP id n7GKgMOk007946; Sun, 16 Aug 2009 22:42:23 +0200
Date: Sun, 16 Aug 2009 22:42:22 +0200
From: Daniel Stenberg <daniel@haxx.se>
X-X-Sender: dast@linux2.contactor.se
To: Adam Barth <ietf@adambarth.com>
In-Reply-To: <7789133a0908161131s5741d457q812b5e4213452054@mail.gmail.com>
Message-ID: <alpine.DEB.2.00.0908162035140.13789@yvahk2.pbagnpgbe.fr>
References: <7789133a0908151008p35ff30e6w2761368fe70d41a6@mail.gmail.com> <alpine.DEB.2.00.0908152250410.18461@yvahk2.pbagnpgbe.fr> <7789133a0908151642w47c1dbf1x48268e657b0d71cc@mail.gmail.com> <alpine.DEB.2.00.0908161440520.25988@yvahk2.pbagnpgbe.fr> <7789133a0908161032l2265ce5fg966c434f1b05aa64@mail.gmail.com> <alpine.DEB.2.00.0908161952060.13789@yvahk2.pbagnpgbe.fr> <7789133a0908161131s5741d457q812b5e4213452054@mail.gmail.com>
User-Agent: Alpine 2.00 (DEB 1167 2008-08-23)
X-fromdanielhimself: yes
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format="flowed"; charset="US-ASCII"
Cc: http-state <http-state@ietf.org>
Subject: Re: [http-state] Updated draft
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Aug 2009 20:42:23 -0000

On Sun, 16 Aug 2009, Adam Barth wrote:

> User agents comprising >99% of the market share implement path-length 
> sorting.  The only implementation I'm aware of that does not perform 
> path-length sorting is CURL.  Are there other implementations we should 
> factor into our decisions?

Right, but did you check libsoup, wget or whatever other fairly common 
non-browser http clients there are out there? Or why not the most popular 
native libs for Java, Python or perl?

As curl is not a browser at all you could test 100% of the browsers and curl 
would still not be in that lump. You cannot use browser share among end users 
as a proper measurement here. If you can reach 99% of the server 
implementations it would matter a lot more.

> I suspect that Internet Explorer, Firefox, Safari, Chrome, and Opera have 
> collectively been tested on more web sites than CURL.  When 5 out of 5 major 
> browsers agree, there's likely a reason.

Then please tell me the reason. Why do they sort the cookies like this? (And I 
don't count "because RFC2109/2965 says so" to be a good explanation.)

And the reversed: how come (virtually) no server-side receivers care about the 
order?

> "If I were going to implement a new user agent today and I wanted to 
> maximize compatibility, would I implement this requirement?"
>
> In this case, it's clear that I would want to implement a behavior that 
> matches all of the major browsers.

I think you're looking at it from the wrong perspective. If I were to 
implement a new cookie "engine" today and maximize compatibility, I would make 
sure that it plays with 99.[something] of the _server_-implementions. And 
funnily enough, I claim that curl does!

A request-header should be looked for compliance in the server-end, imo.

Obviously I don't have any measured numbers to back this up but curl has 
always been used a lot to mimic browsers and to automate what people otherwise 
do manually with browsers, and I've always put in an effort to make sure that 
curl can do everything the browsers can (HTTP wise). This sorting thing has 
never been an issue to my knowledge (and yes I do realize I'm sticking my neck 
out here).

>> it could only really have a meaning if more than 50 (or so) cookies are 
>> stored for a domain as then the sort order would decide which cookies to 
>> discard
>
> This is not the case.  The priority order for evicting cookies is different 
> from the order in which cookies appear in the Cookie header (which is what 
> we're discussing).

Ah, that's what I get for reading it sloppy, sorry.

But it only makes my point even stronger: Why do we specify the order at all? 
What's the useful purpose to any party involved?

-- 

  / daniel.haxx.se