Re: [http-state] Ticket 6: host-only cookies

Julian Reschke <julian.reschke@gmx.de> Fri, 29 January 2010 08:21 UTC

Return-Path: <julian.reschke@gmx.de>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0530A3A68EF for <http-state@core3.amsl.com>; Fri, 29 Jan 2010 00:21:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.561
X-Spam-Level:
X-Spam-Status: No, score=-5.561 tagged_above=-999 required=5 tests=[AWL=-2.962, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AOpPswmJc4Wa for <http-state@core3.amsl.com>; Fri, 29 Jan 2010 00:21:31 -0800 (PST)
Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by core3.amsl.com (Postfix) with SMTP id B3E093A6863 for <http-state@ietf.org>; Fri, 29 Jan 2010 00:21:28 -0800 (PST)
Received: (qmail invoked by alias); 29 Jan 2010 08:21:47 -0000
Received: from p508FBC92.dip.t-dialin.net (EHLO [192.168.178.33]) [80.143.188.146] by mail.gmx.net (mp061) with SMTP; 29 Jan 2010 09:21:47 +0100
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX1/0kpEvdkv0WvrHJ08ujXF4qEgCTXreQrnSqjDB9E Hl3UWqKd6qTSpe
Message-ID: <4B629A92.9090101@gmx.de>
Date: Fri, 29 Jan 2010 09:21:38 +0100
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.0.4) Gecko/20060516 Thunderbird/1.5.0.4 Mnenhy/0.7.4.666
MIME-Version: 1.0
To: Bil Corry <bil@corry.biz>
References: <7789133a1001220050m56cc438x35099b7972639331@mail.gmail.com> <alpine.DEB.2.00.1001220957240.9467@tvnag.unkk.fr> <33259CFA-E50A-46D7-A315-5D68ACB69CDB@apple.com> <2C56E4FA-8BE2-479A-AA53-E64DC3A907E2@gbiv.com> <4B628D14.9080003@corry.biz>
In-Reply-To: <4B628D14.9080003@corry.biz>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
X-FuHaFi: 0.64000000000000001
Cc: "Roy T. Fielding" <fielding@gbiv.com>, Daniel Stenberg <daniel@haxx.se>, http-state <http-state@ietf.org>
Subject: Re: [http-state] Ticket 6: host-only cookies
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Jan 2010 08:21:32 -0000

Bil Corry wrote:
> ...
> The spec we produce may not pass IESG review anyway given we're specifying behavior that violates RFC 2109 (and presumably httpbis).  The purpose of this WG is to create a spec that reflects how cookies are actually implemented in real life across common UAs and servers, including the insecure and inconsistent behavior.  Your position that 'vendors will adjust their behavior' has not borne out as RFC 2965 illustrates (and the very reason for this WG).
> ...

Where specifically do you expect a violation of HTTPbis, except for the 
well-known issue about the header syntax not following the HTTP rules 
for repeated headers?

BR, Julian