Re: [http-state] Comments on draft-ietf-httpstate-cookie-08
"Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com> Sat, 29 May 2010 17:54 UTC
Return-Path: <yngve@opera.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DFA723A6896 for <http-state@core3.amsl.com>; Sat, 29 May 2010 10:54:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.999
X-Spam-Level:
X-Spam-Status: No, score=-3.999 tagged_above=-999 required=5 tests=[BAYES_50=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0nZLrswJqPsa for <http-state@core3.amsl.com>; Sat, 29 May 2010 10:54:23 -0700 (PDT)
Received: from smtp.opera.com (smtp.opera.com [213.236.208.81]) by core3.amsl.com (Postfix) with ESMTP id 8F5F83A6862 for <http-state@ietf.org>; Sat, 29 May 2010 10:54:23 -0700 (PDT)
Received: from acorna (30.169.202.84.customer.cdi.no [84.202.169.30]) (authenticated bits=0) by smtp.opera.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id o4THs83R013859 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sat, 29 May 2010 17:54:09 GMT
Content-Type: text/plain; charset="iso-8859-15"; format="flowed"; delsp="yes"
To: Adam Barth <ietf@adambarth.com>
References: <op.vdfzz8lovqd7e2@killashandra.oslo.osa> <AANLkTikwyQZo-z_U_n3N8c05tY30gHUtIBqEpMg9O4oI@mail.gmail.com>
Date: Sat, 29 May 2010 19:54:00 +0200
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
From: "Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com>
Organization: Opera Software AS
Message-ID: <op.vdhaoaqzqrq7tp@acorna>
In-Reply-To: <AANLkTikwyQZo-z_U_n3N8c05tY30gHUtIBqEpMg9O4oI@mail.gmail.com>
User-Agent: Opera Mail/10.53 (Win32)
Cc: "http-state@ietf.org" <http-state@ietf.org>
Subject: Re: [http-state] Comments on draft-ietf-httpstate-cookie-08
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 29 May 2010 17:54:25 -0000
On Sat, 29 May 2010 18:51:41 +0200, Adam Barth <ietf@adambarth.com> wrote: > I'll reply to your full email in detail later, but another note: > > On Fri, May 28, 2010 at 6:05 PM, Yngve Nysaeter Pettersen > <yngve@opera.com> wrote: >> IMO the specification should specifically comment on these issues, and >> preferably allow clients to discard cookies with quotes that does not >> match >> the quoted-string syntax, > > User agents already have the option to discard any cookie for any > reason. Adding this text to the spec would be redundant. I think it may still be useful to point out specific issues where such discarding policies are used automatically. My impression of that text is that it focus more on cleanup and user controlled filtering, rather than what policies the client may have implemented. I suspect that most administrators will read it that way too. For example, the draft specifically mentions public suffix as a reason why a client can discard a cookie. >> Perhaps one way to do that is to >> specifically say that the result of using quotes in this fashion is >> undefined? > > Leaving things like this undefined hurts interoperability. The situation for this particular value syntax is already undefined, and while it is a corner case, it can have unanticipated effects, particularly in combination with different cookie ordering algorithms. Putting the server administrators on notice about the issue should hopefully increase interoperability because they can then avoid the problematic cases. If we are going to document cookies as used on the Internet, then I think that includes pointing out the areas that should be avoided, particularly the ones where the results will be undefined. That should not just be done by how the syntax is defined, but also directly mentioning them. This information can be mentioned either as notes (or Notes) in the definitions themselves, or collected in a separate "Implementation pitfalls"-section. -- Sincerely, Yngve N. Pettersen ******************************************************************** Senior Developer Email: yngve@opera.com Opera Software ASA http://www.opera.com/ Phone: +47 24 16 42 60 Fax: +47 24 16 40 01 ********************************************************************
- [http-state] Comments on draft-ietf-httpstate-coo… Yngve Nysaeter Pettersen
- Re: [http-state] Comments on draft-ietf-httpstate… Bjoern Hoehrmann
- Re: [http-state] Comments on draft-ietf-httpstate… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [http-state] Comments on draft-ietf-httpstate… Adam Barth
- Re: [http-state] Comments on draft-ietf-httpstate… Adam Barth
- Re: [http-state] Comments on draft-ietf-httpstate… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [http-state] Comments on draft-ietf-httpstate… Adam Barth
- Re: [http-state] Comments on draft-ietf-httpstate… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [http-state] Comments on draft-ietf-httpstate… Adam Barth