Re: I-D Action: draft-ietf-httpbis-cookie-alone-01.txt

Mike West <mkwst@google.com> Mon, 05 September 2016 09:28 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2B1612B120 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 5 Sep 2016 02:28:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.527
X-Spam-Level:
X-Spam-Status: No, score=-8.527 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.001, RP_MATCHES_RCVD=-1.508, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZmJ-hg4Qn42G for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 5 Sep 2016 02:28:12 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F70F12B12A for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 5 Sep 2016 02:28:12 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1bgq7t-0007fb-Q9 for ietf-http-wg-dist@listhub.w3.org; Mon, 05 Sep 2016 09:23:37 +0000
Resent-Date: Mon, 05 Sep 2016 09:23:37 +0000
Resent-Message-Id: <E1bgq7t-0007fb-Q9@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <mkwst@google.com>) id 1bgq7i-0007el-Gt for ietf-http-wg@listhub.w3.org; Mon, 05 Sep 2016 09:23:26 +0000
Received: from mail-lf0-f41.google.com ([209.85.215.41]) by maggie.w3.org with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <mkwst@google.com>) id 1bgq7g-0005PZ-KD for ietf-http-wg@w3.org; Mon, 05 Sep 2016 09:23:25 +0000
Received: by mail-lf0-f41.google.com with SMTP id p41so104271303lfi.1 for <ietf-http-wg@w3.org>; Mon, 05 Sep 2016 02:23:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=u7IWIbYfubhjSZ/6sQwt2eQI2LGH4NXGP+jTpjv/vvk=; b=gcr2ClnvxP9hz+mvJnSCaepV2YW6lwRrvt//ahDW4DzFDNDTYTqceO9uln4j+zMCkv qqX/xJfyM8JS/J8qN6/Lg/zEbkeUq7e3fhS8XXUfJCpZNbu0i4QZUX9fwIKFyeiGpfG5 WElj2bTysCg6RINWArZxW8VJvPjSQc2pQXc9OsFjj/xyaWki+TIrkm6TBC/rkBf/uo2J /mb0qVQIxYR2dY8wv0lyLwlMAC2kk8vbJRVg5PPJKwnjl9l6H0VKnrRnDGAREX/znCt0 x/N9lfYudczwrfKdIWI3ArZk+excPpZVdD+mHvAK9yZot8qQQk4J2DcufGTe6/FbL2Wf FsdA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=u7IWIbYfubhjSZ/6sQwt2eQI2LGH4NXGP+jTpjv/vvk=; b=TKf4reMSCU6ujJ5TX+tcQYAd0cygR5/qEV8rZk2lBiaclMwsVbipgT9EBPH88M0+Ac EJIKvJng1ut/0W5TEb8OTJQw+G5QlRLOywbAUX7QnKybVOtzrpHuekoo7kGWZlSDegq9 AX/3aBok3KWh//AfxWoRezzDxlz1pdJI7BbI2qk4iigfMRVLK8mNYoX3cIcu7oMuiqMX qSaKDYsKBNBYGRHbgWTuQ7paWZMK5kATCYBY/qfl/1bTXlz7+3CcEZqMSAdZYraW7H3n xsbl0VaTC6sTHQI9sr9bhEGZlCRKW64mwniX33Tu0A5OIEzJVSMIvK9i3OBh/RP90l9H cMWQ==
X-Gm-Message-State: AE9vXwOVl/jrWRbCcgmwfE4nvb8ZR1VLj5OIB39foHTrQominQrqgZJxP0I1jS9yvx3EeY1ZMPKlSs0ASpoE7gg8
X-Received: by 10.25.221.93 with SMTP id u90mr4213552lfg.146.1473067377178; Mon, 05 Sep 2016 02:22:57 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.25.127.7 with HTTP; Mon, 5 Sep 2016 02:22:36 -0700 (PDT)
In-Reply-To: <147306306545.3057.14549300855211996670.idtracker@ietfa.amsl.com>
References: <147306306545.3057.14549300855211996670.idtracker@ietfa.amsl.com>
From: Mike West <mkwst@google.com>
Date: Mon, 5 Sep 2016 11:22:36 +0200
Message-ID: <CAKXHy=eiq8WvYJd7mV74mYmxJ__LrTOhpjiYHMAiqFcCQwT0gA@mail.gmail.com>
To: internet-drafts@ietf.org
Cc: i-d-announce@ietf.org, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary=94eb2c0ecaeabf9d50053bbf3989
Received-SPF: pass client-ip=209.85.215.41; envelope-from=mkwst@google.com; helo=mail-lf0-f41.google.com
X-W3C-Hub-Spam-Status: No, score=-7.2
X-W3C-Hub-Spam-Report: AWL=1.166, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_SORBS_SPAM=2.398, RP_MATCHES_RCVD=-1.056, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: maggie.w3.org 1bgq7g-0005PZ-KD ba0e0af96660d98649017ddcc00bb9b2
X-Original-To: ietf-http-wg@w3.org
Subject: Re: I-D Action: draft-ietf-httpbis-cookie-alone-01.txt
Archived-At: <http://www.w3.org/mid/CAKXHy=eiq8WvYJd7mV74mYmxJ__LrTOhpjiYHMAiqFcCQwT0gA@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/32377
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

The diff between this and the previous draft are fairly minimal. In short,
we've added a path-matching check to the storage model modifications
suggested in
https://tools.ietf.org/html/draft-ietf-httpbis-cookie-alone-01#section-3 in
order to deal with real-world compatibility issues raised in
https://github.com/httpwg/http-extensions/issues/223 (and
https://bugs.chromium.org/p/chromium/issues/detail?id=580770).

Working on porting that change into Chrome's implementation now.

-mike

On Mon, Sep 5, 2016 at 10:11 AM, <internet-drafts@ietf.org> wrote:

>
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> This draft is a work item of the Hypertext Transfer Protocol of the IETF.
>
>         Title           : Deprecate modification of 'secure' cookies from
> non-secure origins
>         Author          : Mike West
>         Filename        : draft-ietf-httpbis-cookie-alone-01.txt
>         Pages           : 6
>         Date            : 2016-09-05
>
> Abstract:
>    This document updates RFC6265 by removing the ability for a non-
>    secure origin to set cookies with a 'secure' flag, and to overwrite
>    cookies whose 'secure' flag is set.  This deprecation improves the
>    isolation between HTTP and HTTPS origins, and reduces the risk of
>    malicious interference.
>
>
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-httpbis-cookie-alone/
>
> There's also a htmlized version available at:
> https://tools.ietf.org/html/draft-ietf-httpbis-cookie-alone-01
>
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-httpbis-cookie-alone-01
>
>
> Please note that it may take a couple of minutes from the time of
> submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
>
>