Re: [http-state] One last attempt to get y'all to like the idea of a non-inclusive Set-Cookie design
Paul James Hammant <phammant@thoughtworks.com> Thu, 18 November 2010 21:22 UTC
Return-Path: <phammant@thoughtworks.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 12AD03A68F8 for <http-state@core3.amsl.com>; Thu, 18 Nov 2010 13:22:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.232
X-Spam-Level:
X-Spam-Status: No, score=-5.232 tagged_above=-999 required=5 tests=[AWL=0.744, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TkKUEz-+smqj for <http-state@core3.amsl.com>; Thu, 18 Nov 2010 13:21:59 -0800 (PST)
Received: from na3sys009aog101.obsmtp.com (na3sys009aog101.obsmtp.com [74.125.149.67]) by core3.amsl.com (Postfix) with SMTP id E7E853A68F3 for <http-state@ietf.org>; Thu, 18 Nov 2010 13:21:58 -0800 (PST)
Received: from source ([74.125.82.48]) by na3sys009aob101.postini.com ([74.125.148.12]) with SMTP ID DSNKTOWZIqkede339IYpH+kwrZQ5mpVKPngd@postini.com; Thu, 18 Nov 2010 13:22:47 PST
Received: by wwb39 with SMTP id 39so3825882wwb.17 for <http-state@ietf.org>; Thu, 18 Nov 2010 13:22:15 -0800 (PST)
Received: by 10.227.132.209 with SMTP id c17mr1280341wbt.24.1290115333940; Thu, 18 Nov 2010 13:22:13 -0800 (PST)
MIME-Version: 1.0
Received: by 10.227.152.78 with HTTP; Thu, 18 Nov 2010 13:21:53 -0800 (PST)
In-Reply-To: <B558AA9B-6879-4730-B85F-AF9C06F60399@apple.com>
References: <AANLkTinfDu8SEJC8yd+q8dCOMOROpsBtOcgos4kTs=y3@mail.gmail.com> <B558AA9B-6879-4730-B85F-AF9C06F60399@apple.com>
From: Paul James Hammant <phammant@thoughtworks.com>
Date: Thu, 18 Nov 2010 15:21:53 -0600
Message-ID: <AANLkTinPC7GtaS_Cx6G-HZGkM6JD+SgaGY5mApSFjy4M@mail.gmail.com>
To: Mark Pauley <mpauley@apple.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Cc: http-state <http-state@ietf.org>
Subject: Re: [http-state] One last attempt to get y'all to like the idea of a non-inclusive Set-Cookie design
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Nov 2010 21:22:02 -0000
So my follow up blog entry isn't suggesting regex (and its 'two problems') anymore, it is a comma separated bang (!) prefixed expression that looks like the current path concept. Also the follow-up blog entry is about pitching the need of mom and pop sites who are not going to get into the business of CDNs. Lastly, in terms of URLs dynamic resources are nearly always mounted at root: examples.com/buyIt?.. rather than in a directory like examples.com/dynamic/buyIt because the end users see this URL (at least if they are reasonably technical and gaze up). I'm not going to respond to the implicit suggest that the cookie spec should be parked broken forever :-P Well thanks for listening anyway :) - Paul On Thu, Nov 18, 2010 at 3:00 PM, Mark Pauley <mpauley@apple.com> wrote: > Honestly, while we've discussed this idea before (that we are wasting resources sending a server state for a stateless resource), I think that adding complexity to the cookies design is not a great way to go. > > There's a saying that I think is applicable here: You've got a problem, so you try to solve it using regular expressions. Now you have two problems. > > > > Why not partition your site either into two domains (one with static content, one without) or into two directories. > > /static > /dynamic > > - set the cookies for these two paths and you'll get your same result tomorrow instead of whenever your RFC addition is approved. > > > Here's my best argument: nobody can even get the current cookie RFC's implemented correctly. Why would adding a complicated 'not-path' semantic work? Let's just stick with codifying the current lowest-common-denominator behavior of all major browsers and pickle cookies going forward. If we need to do something cookies can't do, use it as an opportunity to kill cookies. > > My advice for you right now is to set minimal cookies and make all of the smarts on your backend where you have control. > > > On Nov 18, 2010, at 11:54 AM, Paul James Hammant wrote: > >> Refer - http://paulhammant.com/blog/not-path-cookies.html >> >> It is a modification to my proposal last month; Better this time based >> on the comments in this mail list when I last proposed it. I also >> reference the Michal Zalewski blog posting critical of cookies >> >> I think it is even more relevant given the >> http://www.eff.org/pages/how-deploy-https-correctly posting from three >> days ago where the EFF suggests no more mixed content (see below). >> >> -Paul >> >> From the EFF blog entry: >> >> ** Mixed Content ** >> >> When hosting an application over HTTPS, there can be no mixed content; >> that is, all content in the page must be fetched via HTTPS. It is >> common to see partial HTTPS support on sites, in which the main pages >> are fetched via HTTPS but some or all of the media elements, >> stylesheets, and JavaScript in the page are fetched via HTTP. >> >> This is unsafe because although the main page load is protected >> against active and passive network attack, none of the other resources >> are. If a page loads some JavaScript or CSS code via HTTP, an attacker >> can provide a false, malicious code file and take over the page’s DOM >> once it loads. Then, the user would be back to a situation of having >> no security. This is why all mainstream browsers warn users about >> pages that load mixed content. Nor is it safe to reference images via >> HTTP: What if the attacker swapped the Save Message and Delete Message >> icons in a webmail app? >> >> You must serve the entire application domain over HTTPS. Redirect HTTP >> requests with HTTP 301 or 302 responses to the equivalent HTTPS >> resource. >> >> Some site operators provide only the login page over HTTPS, on the >> theory that only the user’s password is sensitive. These sites’ users >> are vulnerable to passive and active attack. >> _______________________________________________ >> http-state mailing list >> http-state@ietf.org >> https://www.ietf.org/mailman/listinfo/http-state > > _Mark > mpauley@apple.com > > > > > -- Regards, - Paul Hammant Principal Consultant, ThoughtWorks Cell: 415 999 4637
- [http-state] One last attempt to get y'all to lik… Paul James Hammant
- Re: [http-state] One last attempt to get y'all to… Mark Pauley
- Re: [http-state] One last attempt to get y'all to… Paul James Hammant
- Re: [http-state] One last attempt to get y'all to… Mark Pauley