Re: [http-state] Ticket 6: host-only cookies

Maciej Stachowiak <> Sun, 24 January 2010 04:36 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 87EE13A699D for <>; Sat, 23 Jan 2010 20:36:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -103.999
X-Spam-Status: No, score=-103.999 tagged_above=-999 required=5 tests=[BAYES_50=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id cFCTeAI7zyYE for <>; Sat, 23 Jan 2010 20:36:41 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id CE62E3A6782 for <>; Sat, 23 Jan 2010 20:36:41 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 04075818DCE5 for <>; Sat, 23 Jan 2010 20:36:42 -0800 (PST)
X-AuditID: 11807136-b7bafae000000e8d-18-4b5bce597919
Received: from ( []) by (Apple SCV relay) with SMTP id C9.1D.03725.95ECB5B4; Sat, 23 Jan 2010 20:36:41 -0800 (PST)
MIME-version: 1.0
Content-transfer-encoding: 7bit
Content-type: text/plain; charset="us-ascii"
Received: from [] by (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008; 32bit)) with ESMTPSA id <> for; Sat, 23 Jan 2010 20:36:41 -0800 (PST)
From: Maciej Stachowiak <>
In-reply-to: <>
Date: Sat, 23 Jan 2010 20:36:39 -0800
Message-id: <>
References: <> <>
To: Daniel Stenberg <>
X-Mailer: Apple Mail (2.1077)
X-Brightmail-Tracker: AAAAAQAAAZE=
Cc: http-state <>
Subject: Re: [http-state] Ticket 6: host-only cookies
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 24 Jan 2010 04:36:42 -0000

On Jan 22, 2010, at 3:00 AM, Daniel Stenberg wrote:

> On Fri, 22 Jan 2010, Adam Barth wrote:
>> 1) Specify host-only cookies to match Firefox, Chrome, Safari, and Opera. This is best for security, and I think there's a good chance that IE will adopt host-only cookies in future, but I don't have any citable evidence for this belief.  (The draft currently matches this proposal.)
> Even though this would be the best security option (and in general I think it makes more sense), I don't think we can neglect that one rather widely used implementation doesn't do it this way.
> Sites out there that depend on this bug/feature in IE will break. And we know there exist many IE-crafted sites out there (although I guess nobody really knows how many of those that might depend on this particular thing).
> I'm guessing this is a difference that simply will remain for a good while forward. The non-IE browsers won't do it this way due to security and IE does it this way by tradition and the good old "we won't change any behaviors since then something will break for our users".
> So, I'm afraid I'm leaning towards (3): Allow both behaviors.

If Microsoft is unwilling to change their behavior, then I'd like to hear it from them rather than guessing. Are there any Microsoft reps in this group? Can we get any to join?

I would strongly prefer a single behavior unless we get a clear statement from Microsoft that they absolutely will not change.