Re: [http-state] Security considerations overview

David Morris <dwm@xpasc.com> Thu, 04 March 2010 20:40 UTC

Return-Path: <dwm@xpasc.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CB7643A8E5D for <http-state@core3.amsl.com>; Thu, 4 Mar 2010 12:40:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6PswzVemjPki for <http-state@core3.amsl.com>; Thu, 4 Mar 2010 12:40:40 -0800 (PST)
Received: from mail.xpasc.com (mail.xpasc.com [68.164.244.189]) by core3.amsl.com (Postfix) with ESMTP id BDA923A8E5C for <http-state@ietf.org>; Thu, 4 Mar 2010 12:40:40 -0800 (PST)
Received: from bslepgate.xpasc.com (localhost.localdomain [127.0.0.1]) by bslepgate.xpasc.com (Postfix-out) with ESMTP id 2B330101853 for <http-state@ietf.org>; Thu, 4 Mar 2010 12:40:41 -0800 (PST)
X-Propel-Return-Path: <dwm@xpasc.com>
Received: from mail.xpasc.com ([10.1.2.88]) by [127.0.0.1] ([127.0.0.1]) (port 7027) (Abaca EPG outproxy filter 3.1.1.9347 $Rev: 9262 $) id iz6Ura34kEF0; Thu, 04 Mar 2010 12:40:41 -0800
Received: from xpasc.com (egate.xpasc.com [10.1.2.49]) by bslepgate.xpasc.com (Postfix-out) with ESMTP id 17B0D101843 for <http-state@ietf.org>; Thu, 4 Mar 2010 12:40:41 -0800 (PST)
Received: from egate.xpasc.com (egate.xpasc.com [10.1.2.49]) by xpasc.com (8.13.8/8.13.8) with ESMTP id o24KeeaX015312 for <http-state@ietf.org>; Thu, 4 Mar 2010 12:40:40 -0800
Date: Thu, 4 Mar 2010 12:40:40 -0800 (PST)
From: David Morris <dwm@xpasc.com>
To: http-state <http-state@ietf.org>
In-Reply-To: <DB63662B-3854-4652-B622-401F54E4B04B@apple.com>
Message-ID: <Pine.LNX.4.64.1003041238350.13321@egate.xpasc.com>
References: <5c4444771003021103s422a65c3me96af57dfee58105@mail.gmail.com> <5691356f1003021438t1487d6d0g39439a2bdc3543ce@mail.gmail.com> <5c4444771003021452g44538236ta855abcfe6d578da@mail.gmail.com> <Pine.LNX.4.64.1003021508100.21569@egate.xpasc.com> <5c4444771003021539i2ed4ea44mf6b52970bc52385b@mail.gmail.com> <D88C1747-4C28-43DB-9BBD-5EB951CCD471@apple.com> <5691356f1003021640n22c2dc49j7939a2f4d19d1868@mail.gmail.com> <58FE8180-6A66-44B2-90AB-33F6FFE79779@apple.com> <B9FD2591-8A5A-46CA-A1E7-323868B23CF1@apple.com> <4B8F7591.6080509@securenet.de> <5c4444771003040533w32cb801ej9b16cee5775b667a@mail.gmail.com> <DB63662B-3854-4652-B622-401F54E4B04B@apple.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Propel-ID: iz6Ura34kEF0
Subject: Re: [http-state] Security considerations overview
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: http-state <http-state@ietf.org>
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Mar 2010 20:40:41 -0000

On Thu, 4 Mar 2010, Mark Pauley wrote:

> My confusion is that if you load foo.example.com, which has an embedded
> image loaded from www.advertisement.com, we will fail to set any cookies

This nitpicky ... but 'will fail to set' should read 'will not set' as the
first implies an error and the later implies intended behavior.