Re: Cookie-Attribute request header proposal
Daniel Stenberg <daniel@haxx.se> Sun, 04 September 2016 11:11 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F74112B0E2 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 4 Sep 2016 04:11:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.53
X-Spam-Level:
X-Spam-Status: No, score=-6.53 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.508, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7T4N6qy225HK for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 4 Sep 2016 04:11:30 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF1CB12B046 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sun, 4 Sep 2016 04:11:29 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1bgVFw-0002Lz-27 for ietf-http-wg-dist@listhub.w3.org; Sun, 04 Sep 2016 11:06:32 +0000
Resent-Date: Sun, 04 Sep 2016 11:06:32 +0000
Resent-Message-Id: <E1bgVFw-0002Lz-27@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <daniel@haxx.se>) id 1bgVFk-0002Ko-JS for ietf-http-wg@listhub.w3.org; Sun, 04 Sep 2016 11:06:20 +0000
Received: from giant.haxx.se ([80.67.6.50]) by lisa.w3.org with esmtp (Exim 4.80) (envelope-from <daniel@haxx.se>) id 1bgVFi-0000UT-LE; Sun, 04 Sep 2016 11:06:20 +0000
Received: from giant.haxx.se (localhost.localdomain [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTPS id u84B5sA0029300 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 4 Sep 2016 13:05:54 +0200
Received: from localhost (dast@localhost) by giant.haxx.se (8.15.2/8.15.2/Submit) with ESMTP id u84B5r7f029294; Sun, 4 Sep 2016 13:05:53 +0200
X-Authentication-Warning: giant.haxx.se: dast owned process doing -bs
Date: Sun, 04 Sep 2016 13:05:53 +0200
From: Daniel Stenberg <daniel@haxx.se>
X-X-Sender: dast@giant.haxx.se
To: David Eckel <dvdckl@gmail.com>
cc: HTTP Working Group <ietf-http-wg@w3.org>, Yves Lafon <ylafon@w3.org>
In-Reply-To: <d2bfa27c-b5a9-ac53-d864-5f0e61ad062a@gmail.com>
Message-ID: <alpine.DEB.2.20.1609041255450.15530@tvnag.unkk.fr>
References: <d2bfa27c-b5a9-ac53-d864-5f0e61ad062a@gmail.com>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
X-fromdanielhimself: yes
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="US-ASCII"
Received-SPF: pass client-ip=80.67.6.50; envelope-from=daniel@haxx.se; helo=giant.haxx.se
X-W3C-Hub-Spam-Status: No, score=-6.9
X-W3C-Hub-Spam-Report: AWL=0.761, BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.508, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: lisa.w3.org 1bgVFi-0000UT-LE d75545d673f61cdaf6f28b8eac6f8b12
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Cookie-Attribute request header proposal
Archived-At: <http://www.w3.org/mid/alpine.DEB.2.20.1609041255450.15530@tvnag.unkk.fr>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/32375
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On Thu, 1 Sep 2016, David Eckel wrote: > Cookie: analyticsId=1;analyticsId=2;__Cookie-Attribute=Path,Domain > Cookie-Attribute: > Path=/,Domain=www.example.com;Path=/index,Domain=.example.com;Path=/,Domain=www.example.com > - Opt-in security means a long road to adoption It's too long road IMO. It'll make every server implementation having to default to non-supporting clients and there will never be 100% compliance so this header will significantly complicate the server (and client) implementations for a very long time (complete deprecating things on the Internet is hard and all that) and yet for any client that wants to avoid that setup they'll just not send the header... This, in an area that has turned out harder to change than most other HTTP areas (remember all the funky cookies RFCs that have been attemped through the years) since (I suspect) server side cookie implementations are so often custom and hand rolled out and are not just half a dozen major implmentations you can upgrade to the latest version and be done with it. So no, I don't see this suggestion as a good road forward. -- / daniel.haxx.se
- Cookie-Attribute request header proposal David Eckel
- Re: Cookie-Attribute request header proposal Daniel Stenberg