[http-state] future window scope based on cakes?
Mike Wilson <mikewse@hotmail.com> Fri, 03 December 2010 20:01 UTC
Return-Path: <mikewse@hotmail.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 50C9A28C158 for <http-state@core3.amsl.com>; Fri, 3 Dec 2010 12:01:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.555
X-Spam-Level:
X-Spam-Status: No, score=-0.555 tagged_above=-999 required=5 tests=[AWL=0.555, BAYES_05=-1.11]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KoAMpxlx4Y9A for <http-state@core3.amsl.com>; Fri, 3 Dec 2010 12:01:31 -0800 (PST)
Received: from snt0-omc2-s14.snt0.hotmail.com (snt0-omc2-s14.snt0.hotmail.com [65.55.90.89]) by core3.amsl.com (Postfix) with ESMTP id 8A5BD3A697A for <http-state@ietf.org>; Fri, 3 Dec 2010 12:01:31 -0800 (PST)
Received: from SNT129-DS4 ([65.55.90.73]) by snt0-omc2-s14.snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Fri, 3 Dec 2010 12:02:49 -0800
X-Originating-IP: [83.227.224.93]
X-Originating-Email: [mikewse@hotmail.com]
Message-ID: <SNT129-DS4AD915B023F55D0FE6683A4280@phx.gbl>
From: Mike Wilson <mikewse@hotmail.com>
To: http-state@ietf.org
Date: Fri, 03 Dec 2010 21:02:02 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Office Outlook 11
Thread-Index: AcuTJPNf/PEFOk+0SCCwARkbZvXNaw==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3350
X-OriginalArrivalTime: 03 Dec 2010 20:02:49.0100 (UTC) FILETIME=[0F5CBCC0:01CB9325]
Subject: [http-state] future window scope based on cakes?
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Dec 2010 20:01:32 -0000
Hi Adam, Earlier this year [1] we discussed state scoped on individual windows or tabs: Mike Wilson wrote: > Adam Barth wrote: > > Set-Cookie: ... Scope=browsing_context; ... > > > > that would cause the user agent to only send this cookie for the > > specified scope (here: browsing context = window or tab) that > > received it. > > > > The Scope parameter could be a general mechanism specified by the > > cookie spec, possibly with allowed values specified in other > > specs more applicable to each host environment. > > This sounds like an interesting idea. In a future version of the > cookie protocol, we should consider a cookie scope akin to the scope > used by sessionStorage in HTML5. Ideally, we'd find a way of defining > a scope that helps mitigate CSRF vulnerabilities at the same time. I see that you have addressed CSRF in cakes. Were/are you thinking that cakes is the better place to add future window scopes to? Best regards Mike Wilson [1] http://www.ietf.org/mail-archive/web/http-state/current/msg00797.html
- [http-state] future window scope based on cakes? Mike Wilson