Re: draft-west-leave-secure-cookies-alone

Willy Tarreau <w@1wt.eu> Thu, 22 October 2015 11:50 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCB061A70FD for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 22 Oct 2015 04:50:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.912
X-Spam-Level:
X-Spam-Status: No, score=-6.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X7_EGU5Z0Kx9 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 22 Oct 2015 04:50:57 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 397D11A7012 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 22 Oct 2015 04:50:56 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1ZpELU-0000Ix-OB for ietf-http-wg-dist@listhub.w3.org; Thu, 22 Oct 2015 11:47:48 +0000
Resent-Date: Thu, 22 Oct 2015 11:47:48 +0000
Resent-Message-Id: <E1ZpELU-0000Ix-OB@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <w@1wt.eu>) id 1ZpELS-0000IF-72 for ietf-http-wg@listhub.w3.org; Thu, 22 Oct 2015 11:47:46 +0000
Received: from wtarreau.pck.nerim.net ([62.212.114.60] helo=1wt.eu) by lisa.w3.org with esmtp (Exim 4.80) (envelope-from <w@1wt.eu>) id 1ZpELQ-0003Qi-JV for ietf-http-wg@w3.org; Thu, 22 Oct 2015 11:47:45 +0000
Received: (from willy@localhost) by pcw.home.local (8.14.3/8.14.3/Submit) id t9MBlK3D004558; Thu, 22 Oct 2015 13:47:20 +0200
Date: Thu, 22 Oct 2015 13:47:20 +0200
From: Willy Tarreau <w@1wt.eu>
To: Mike West <mkwst@google.com>
Cc: Martin Thomson <martin.thomson@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20151022114720.GB4522@1wt.eu>
References: <CABkgnnXnC+TxPipsvLaGmDtD31ACyUcwYvy2RfmO9k08tw9Y_w@mail.gmail.com> <CAKXHy=dAc3bnyTMadVr_8q+2mBFMeuVAx4FzDsnKaFDS3MrvTQ@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAKXHy=dAc3bnyTMadVr_8q+2mBFMeuVAx4FzDsnKaFDS3MrvTQ@mail.gmail.com>
User-Agent: Mutt/1.4.2.3i
Received-SPF: pass client-ip=62.212.114.60; envelope-from=w@1wt.eu; helo=1wt.eu
X-W3C-Hub-Spam-Status: No, score=-7.3
X-W3C-Hub-Spam-Report: AWL=1.276, BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: lisa.w3.org 1ZpELQ-0003Qi-JV d6596229d0d4c5f6e947a8d54e543883
X-Original-To: ietf-http-wg@w3.org
Subject: Re: draft-west-leave-secure-cookies-alone
Archived-At: <http://www.w3.org/mid/20151022114720.GB4522@1wt.eu>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/30393
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Hi Mike,

On Thu, Oct 22, 2015 at 01:26:47PM +0200, Mike West wrote:
> About that... https://tools.ietf.org/html/draft-west-origin-cookies-01
> is one approach.

Interesting idea.

> https://tools.ietf.org/html/draft-west-cookie-prefixes-04 is another
> (and has the advantage of being trivial to implement). Chrome's
> implemented the latter (at least the `$Secure-*` prefix) behind a flag
> for folks to start playing with.

This one is indeed less invasive than the first one as it continues to
respect the same header name for example.

Thanks for the explanations.
Willy