Re: [http-state] Apps area review of draft-ietf-httpstate-cookie-19
Adam Barth <ietf@adambarth.com> Sun, 05 December 2010 20:50 UTC
Return-Path: <ietf@adambarth.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 10A163A6B1F; Sun, 5 Dec 2010 12:50:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.014
X-Spam-Level:
X-Spam-Status: No, score=-4.014 tagged_above=-999 required=5 tests=[AWL=-1.037, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EK5rZ1RDKdBu; Sun, 5 Dec 2010 12:50:02 -0800 (PST)
Received: from mail-qy0-f172.google.com (mail-qy0-f172.google.com [209.85.216.172]) by core3.amsl.com (Postfix) with ESMTP id C3EE43A6B1E; Sun, 5 Dec 2010 12:50:01 -0800 (PST)
Received: by qyk34 with SMTP id 34so2807531qyk.10 for <multiple recipients>; Sun, 05 Dec 2010 12:51:23 -0800 (PST)
Received: by 10.224.60.198 with SMTP id q6mr3743279qah.273.1291582283490; Sun, 05 Dec 2010 12:51:23 -0800 (PST)
Received: from mail-vw0-f44.google.com (mail-vw0-f44.google.com [209.85.212.44]) by mx.google.com with ESMTPS id nb14sm2993160qcb.0.2010.12.05.12.51.21 (version=SSLv3 cipher=RC4-MD5); Sun, 05 Dec 2010 12:51:22 -0800 (PST)
Received: by vws7 with SMTP id 7so4562320vws.31 for <multiple recipients>; Sun, 05 Dec 2010 12:51:21 -0800 (PST)
Received: by 10.220.189.138 with SMTP id de10mr1145400vcb.169.1291582281074; Sun, 05 Dec 2010 12:51:21 -0800 (PST)
MIME-Version: 1.0
Received: by 10.220.123.142 with HTTP; Sun, 5 Dec 2010 12:50:50 -0800 (PST)
In-Reply-To: <AANLkTinsO=YNNe701VUZjgpmTCjHAbeDNUiG=rv6dq+x@mail.gmail.com>
References: <AANLkTinsO=YNNe701VUZjgpmTCjHAbeDNUiG=rv6dq+x@mail.gmail.com>
From: Adam Barth <ietf@adambarth.com>
Date: Sun, 05 Dec 2010 12:50:50 -0800
Message-ID: <AANLkTine3BG_ndavFqQTYiBNy+sdaSpASSKJaBVssVKk@mail.gmail.com>
To: Lisa Dusseault <lisa.dusseault@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: Alexey Melnikov <alexey.melnikov@isode.com>, Peter Saint-Andre <stpeter@gmail.com>, SM <sm+ietf@elandsys.com>, apps-discuss@ietf.org, http-state@ietf.org
Subject: Re: [http-state] Apps area review of draft-ietf-httpstate-cookie-19
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 05 Dec 2010 20:50:03 -0000
On Sun, Dec 5, 2010 at 10:05 AM, Lisa Dusseault <lisa.dusseault@gmail.com> wrote: > Hi Adam and others, > > I have been selected as the Applications Area Review Team reviewer for > this draft (for background on apps-review, please see > http://www.apps.ietf.org/content/applications-area-review-team). > > Document: draft-ietf-httpstate-cookie-19 > Title: HTTP State Management Mechanism > Reviewer: Lisa Dusseault > Review Date: Dec 5, 2010 > IETF Last Call Date: 2010-11-29 > IESG Telechat Date: 2010-12-16] > Summary: I recommend this document for publication. The document > alone is quite valuable, and the actions to register headers and mark > other documents as historic makes it even more useful to the Internet > community. I also found this document had strong investigation, > discussion and reviews in its history. > > Major Issues: None > Minor Issues: > Section 3. "Origin servers can send a Set-Cookie response header with > any response.". Do we happen to know if it's more common for user > agents to handle, or ignore Set-Cookie response headers on error > responses? I'd be surprised if user-agents do handle them including > on 500-level, 400-level and particularly on a 100 Continue response, > but I haven't tested it. Is it part of your tests? I haven't tested those cases specifically. I suspect user agents process Set-Cookie headers for 500-level and 400-level responses. I'm less sure about 100-level responses. > So while this > statement is factual, it might not help servers much. If my > assumption about some clients ignoring the header on some classes of > responses is correct, I would add that information to the document in > a non-normative sentence. I'll test this and update the document accordingly. > Section 4. As a matter of taste, my choice would be to make it even > more clear that third-party cookie protections erected by user agents > cannot provide the desired protection from cooperating servers. E.g. > "No limitations on cookie use can prevent cooperating servers from > injecting identifying information in dynamic URLs." Sure. I wasn't exactly sure where you'd like this text to appear. We don't seem to mention third-party cookies in Section 4. In Section 5, we mention them three times. We also discuss them in the privacy considerations. We now have the following text in the Privacy Considerations section: In particular, two collaborating servers can often track users without using cookies at all by injecting identifying information into dynamic URLs. Thanks, Adam
- Re: [http-state] Apps area review of draft-ietf-h… Adam Barth
- [http-state] Apps area review of draft-ietf-https… Lisa Dusseault