Re: [http-state] Ticket 6: host-only cookies

Daniel Stenberg <> Fri, 22 January 2010 11:01 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9799A3A6868 for <>; Fri, 22 Jan 2010 03:01:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.189
X-Spam-Status: No, score=-2.189 tagged_above=-999 required=5 tests=[AWL=0.060, BAYES_00=-2.599, HELO_EQ_SE=0.35]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 4xADhIwxA6SE for <>; Fri, 22 Jan 2010 03:01:04 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 415753A67BD for <>; Fri, 22 Jan 2010 03:01:04 -0800 (PST)
Received: from ( []) by (8.14.3/8.14.3/Debian-9) with ESMTP id o0MB0uxK008313; Fri, 22 Jan 2010 12:00:56 +0100
Date: Fri, 22 Jan 2010 12:00:56 +0100
From: Daniel Stenberg <>
To: Adam Barth <>
In-Reply-To: <>
Message-ID: <>
References: <>
User-Agent: Alpine 2.00 (DEB 1167 2008-08-23)
X-fromdanielhimself: yes
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format="flowed"; charset="US-ASCII"
Cc: http-state <>
Subject: Re: [http-state] Ticket 6: host-only cookies
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 22 Jan 2010 11:01:05 -0000

On Fri, 22 Jan 2010, Adam Barth wrote:

> 1) Specify host-only cookies to match Firefox, Chrome, Safari, and Opera. 
> This is best for security, and I think there's a good chance that IE will 
> adopt host-only cookies in future, but I don't have any citable evidence for 
> this belief.  (The draft currently matches this proposal.)

Even though this would be the best security option (and in general I think it 
makes more sense), I don't think we can neglect that one rather widely used 
implementation doesn't do it this way.

Sites out there that depend on this bug/feature in IE will break. And we know 
there exist many IE-crafted sites out there (although I guess nobody really 
knows how many of those that might depend on this particular thing).

I'm guessing this is a difference that simply will remain for a good while 
forward. The non-IE browsers won't do it this way due to security and IE does 
it this way by tradition and the good old "we won't change any behaviors since 
then something will break for our users".

So, I'm afraid I'm leaning towards (3): Allow both behaviors.