Re: [http-state] Welcome to http-state
"Blake Frantz" <bfrantz@cisecurity.org> Mon, 12 January 2009 23:40 UTC
Return-Path: <http-state-bounces@ietf.org>
X-Original-To: http-state-archive@ietf.org
Delivered-To: ietfarch-http-state-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7224828C143; Mon, 12 Jan 2009 15:40:37 -0800 (PST)
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 77B0628C143 for <http-state@core3.amsl.com>; Mon, 12 Jan 2009 15:40:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yFcet3uniXdI for <http-state@core3.amsl.com>; Mon, 12 Jan 2009 15:40:35 -0800 (PST)
Received: from Nexus.cisecurity.org (nexus.cisecurity.org [128.121.47.218]) by core3.amsl.com (Postfix) with ESMTP id A421428C13B for <http-state@ietf.org>; Mon, 12 Jan 2009 15:40:35 -0800 (PST)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Mon, 12 Jan 2009 18:40:16 -0500
Message-ID: <120206B6A348CA498C70E738A2E963514C0CDB@Nexus.cisecurity.lan>
In-Reply-To: <7789133a0901121508y51bd1d87g2e89846794c8dcf7@mail.gmail.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [http-state] Welcome to http-state
Thread-Index: Acl1CrctfSCpdFWzSW+Twt3i4z2DNAAAIppA
References: <49679299.6060703@corry.biz><120206B6A348CA498C70E738A2E963514C0CCC@Nexus.cisecurity.lan><7789133a0901121159u1da01de8w77edd52913857358@mail.gmail.com><120206B6A348CA498C70E738A2E963514C0CD2@Nexus.cisecurity.lan><7789133a0901121359p635972bod78e7a46a29c1a8b@mail.gmail.com><120206B6A348CA498C70E738A2E963514C0CD5@Nexus.cisecurity.lan> <7789133a0901121508y51bd1d87g2e89846794c8dcf7@mail.gmail.com>
From: Blake Frantz <bfrantz@cisecurity.org>
To: Discuss HTTP State Management Mechanism <http-state@ietf.org>
Subject: Re: [http-state] Welcome to http-state
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Discuss HTTP State Management Mechanism <http-state@ietf.org>
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: http-state-bounces@ietf.org
Errors-To: http-state-bounces@ietf.org
> While technically true, this doesn't actually help in practice because > Secure and non-Secure cookies are serialized identically in the Cookie > header, make it impossible for the server to tell whether the cookie > was set over HTTP or HTTPS. I see what you're a saying. However, if the user-agent actively asserts "the integrity of these cookies is preserved" or the server operates on the assumption that the cookie it previously set over HTTPS did not get overwritten via HTTP (much like servers currently assume the user-agent implements the same-origin policy), the server is still in the same position - it must trust what the user agent is telling it with respect to cookie integrity. > XHR has a generic generic namespace of headers that can't be set by > script: those that begin with "Sec-". We could simple name the header > "Sec-Cookie-Integrity" if we want this behavior. Good idea. > Oops. Typo. I meant "overwrite Secure cookies over HTTP (for > example, during logout)." Ah, yes, I agree this use case would break. Though, I don't think I've encountered many, if any, instances of this. That surely doesn't mean a million of them don't exist :) Blake _______________________________________________ http-state mailing list http-state@ietf.org https://www.ietf.org/mailman/listinfo/http-state
- [http-state] Welcome to http-state Bil Corry
- Re: [http-state] Welcome to http-state Daniel Stenberg
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [http-state] Welcome to http-state Bil Corry
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Daniel Stenberg
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Dan Winship
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Bil Corry