Re: Proposal: Optional "Purpose" Attribute for Set-Cookie Header
Greg Wilkins <gregw@webtide.com> Mon, 26 August 2024 00:04 UTC
Received: by ietfa.amsl.com (Postfix) id 69D25C14F6EF; Sun, 25 Aug 2024 17:04:12 -0700 (PDT)
Delivered-To: ietfarch-httpbisa-archive-bis2juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6918CC14F600 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 25 Aug 2024 17:04:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.755
X-Spam-Level:
X-Spam-Status: No, score=-2.755 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=w3.org header.b="e/qcSEbj"; dkim=pass (2048-bit key) header.d=w3.org header.b="orAtgVp2"; dkim=pass (2048-bit key) header.d=webtide-com.20230601.gappssmtp.com header.b="qBEW4Ne1"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZdLzrrmY1OWe for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 25 Aug 2024 17:04:08 -0700 (PDT)
Received: from mab.w3.org (mab.w3.org [IPv6:2600:1f18:7d7a:2700:d091:4b25:8566:8113]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5AADDC14F5E0 for <httpbisa-archive-bis2Juki@ietf.org>; Sun, 25 Aug 2024 17:04:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Subject:Content-Type:Cc:To:Message-ID:Date:From:In-Reply-To: References:MIME-Version:Reply-To; bh=geWYN6cAEEXE5b1kdf+faxr4OQsPCT+loPeRo9+2QwU=; b=e/qcSEbjNcn4yPhWZOeb7gbXcf hhNv/P7qCoyKFSlFAQhQXUuD4qZ3PkyYKdY7KQAAkvCz+Ywe3jJhie/YuerTZ57JnKZYIxjHWTwlY 8twmI/TmnFJQRMLMiaJpf/ESWAO9gKfFasXvaplt4iKlOnaZEig6WErP2wPRWcPnN8bSjDw1bvWw0 lC42X2xpgdgz7Y9Dx9wT4e8SPZ3f8qZVwgvi3Fgnc8ZkNckf+37sqZn/ksXjLuApKfcR6MPV2cCJh ey8MlqX0ZUBjJMcHog4JsgoDAppOS6n/7lwS+AzsxuWw5S2YimCuNiC3d9RUejHNTUg/IZ8IjiwQq EWhSZV6Q==;
Received: from lists by mab.w3.org with local (Exim 4.96) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1siNCQ-00GEkL-24 for ietf-http-wg-dist@listhub.w3.org; Mon, 26 Aug 2024 00:03:10 +0000
Resent-Date: Mon, 26 Aug 2024 00:03:10 +0000
Resent-Message-Id: <E1siNCQ-00GEkL-24@mab.w3.org>
Received: from ip-10-0-0-224.ec2.internal ([10.0.0.224] helo=puck.w3.org) by mab.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <gregw@webtide.com>) id 1siNCO-00GEjL-1T for ietf-http-wg@listhub.w3.internal; Mon, 26 Aug 2024 00:03:08 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Content-Type:Cc:To:Subject:Message-ID:Date:From:In-Reply-To: References:MIME-Version:Reply-To; bh=geWYN6cAEEXE5b1kdf+faxr4OQsPCT+loPeRo9+2QwU=; t=1724630588; x=1725494588; b=orAtgVp2Wys2MAucI+I2Fv/n9Muhsouxwevrq+GJhqRkZUsdz0MuRkxCdkNBXbLaADQuao8MSyo QgJ4HIyJSR2w+FGyWr5CE4eL/JEGuHevTsLVre8XV5dFmGRIBan/+8CFwjYoXDFM+6Eyjs37jO/oq eaSfMih/dfvDTb5+6RmiK3CLExH6h/QBXqgdBenltJEF4tub2WuayHPKdmMqgBQN/pFyVfqgLh2Nb 93xvq1UrWaKNLDswjrXuKIchAvDaAAnEkEm4C/RpC75ONe9G49ZGTnLF2E9S0qBoQPV6AKE3Mju2B MephZcHHfyjnCZp+PZu2H1HvJkyAwHSJ74DQ==;
Received-SPF: softfail (puck.w3.org: transitioning domain of webtide.com does not designate 2a00:1450:4864:20::230 as permitted sender) client-ip=2a00:1450:4864:20::230; envelope-from=gregw@webtide.com; helo=mail-lj1-x230.google.com;
Received: from mail-lj1-x230.google.com ([2a00:1450:4864:20::230]) by puck.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from <gregw@webtide.com>) id 1siNCN-00FR6O-2H for ietf-http-wg@w3.org; Mon, 26 Aug 2024 00:03:08 +0000
Received: by mail-lj1-x230.google.com with SMTP id 38308e7fff4ca-2f3fd60259dso2552371fa.0 for <ietf-http-wg@w3.org>; Sun, 25 Aug 2024 17:03:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=webtide-com.20230601.gappssmtp.com; s=20230601; t=1724630583; x=1725235383; darn=w3.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=geWYN6cAEEXE5b1kdf+faxr4OQsPCT+loPeRo9+2QwU=; b=qBEW4Ne1Q1xe2Kg/NFx7EvxPGiEjQlROYSkWu4Z+Cj4KaVsQNm5NzCU+/Bxfe+5ZoO CeSTO0ari4J+ndZfh2faah9mJQAoFL9qDZWhLxUIMPS+Mqix9DrhXIiO9EXYyQabfqE0 dCauGukbS8ED9MRgueH5hmgBhfOYmpZtilzVp/K/u8aRAYHl9+niGWNuPTdsaLMP8Syu eA26tqCfTB//uGxhejwpPnPZvUN5DlvXkji6ZMwY2+fN1/TB6Sh6JsOMrODqqtXDcLWu T3TYX5r9ezxqD5ZkJat7wuxOJ7U9lBH2Kxkfh1SEjNr8mOn7AiwxKO8jFc/kAUUll/fa NSHA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724630583; x=1725235383; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=geWYN6cAEEXE5b1kdf+faxr4OQsPCT+loPeRo9+2QwU=; b=XrTp72F9T9hguhfv7NTfjK59Km9ZsEEHk/9zFrOBwM03mX+HMHbLYx9V51hajv6aT+ 33c3/HPkjhhcGke4G02cIUMTqRqYdOVCQ/trUcHcEkWRyn40wKbBFrTAQnwmh3SLKcSP P/wag86PuWXX/eYRCNeiR/Lor818ssHXtAUVrkZXBd7+n9/17nfvON5w+UJWCywcH+zO wzDbciN6JoY6ZnInXGJco2DShA488qq4ABz1ZUOWv897/xyCxKDZmKWGsdGCHTL6wMdE lt8uExgAqeTkmBLSGiInN8dWwwcZmzkQghd1TN2/lnihJJ6j9oumGq1B3IHKF+pZe3Rk o46g==
X-Gm-Message-State: AOJu0YyHq92GRD4uH/WPOUEKplcA30AiRgqPUTykPIiCuyHAsT3V40FA s14z7/KBVtDsCWVBUm33Pae4CEI//BjMPbA+Om+e9EybJHUfjlnmhqwIvQajXe8/mATWAi5yxJl vtdQ7lsPSbC/qUp9ryMyTUwIaEMoeBg4M7aljC3LA0YmVekGW
X-Google-Smtp-Source: AGHT+IESLaKc2EYdZ4JbSLLCjXvf8t4kAwP0ptpWwcrqMhvYsduLGkRdANRGVeXwLdK97vq8Nrf8uq63wwpBuyTVB8U=
X-Received: by 2002:a2e:bea3:0:b0:2ef:1c03:73e6 with SMTP id 38308e7fff4ca-2f4f493f3b0mr34193441fa.5.1724630582623; Sun, 25 Aug 2024 17:03:02 -0700 (PDT)
MIME-Version: 1.0
References: <CACfd0dFXvK8EhHzabpu++xkTYdTL=zEro09LsSm4wo88N=heGg@mail.gmail.com>
In-Reply-To: <CACfd0dFXvK8EhHzabpu++xkTYdTL=zEro09LsSm4wo88N=heGg@mail.gmail.com>
From: Greg Wilkins <gregw@webtide.com>
Date: Mon, 26 Aug 2024 10:02:51 +1000
Message-ID: <CAAPGdfGS2nEkjoz7w1rduv7Vm33vU0-x0oX869cX=Z2JWD3BFg@mail.gmail.com>
To: joao@penteado.me
Cc: ietf-http-wg@w3.org
Content-Type: multipart/alternative; boundary="0000000000003f1b8b06208ad90b"
X-W3C-Hub-DKIM-Status: validation passed: (address=gregw@webtide.com domain=webtide-com.20230601.gappssmtp.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-2.3
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DMARC_NONE=0.898, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_SOFTFAIL=0.665, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: puck.w3.org 1siNCN-00FR6O-2H 5b20a244dcec7548183f9c402556d301
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Proposal: Optional "Purpose" Attribute for Set-Cookie Header
Archived-At: <https://www.w3.org/mid/CAAPGdfGS2nEkjoz7w1rduv7Vm33vU0-x0oX869cX=Z2JWD3BFg@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/52240
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/email/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On Sun, 25 Aug 2024 at 04:08, João Penteado <joao@penteado.me> wrote: > ... Of course, this proposal hinges on the assumption that servers would be > willing > to adopt this standard and honestly disclose a cookie's purpose. I believe > this > is a reasonable expectation for the following reasons: > > 1. Websites that implement cookie consent pop-ups are already disclosing > the > purpose of cookies, albeit with a suboptimal user experience. > Misrepresentation > could expose them to legal risks. The UX issues are not present in > websites not > implementing the pop-ups, so it wouldn't affect them anyway. > There are indeed many websites that in good faith try to optimise the cookie purpose conversation. However, there are also many other sites that do not and deliberately adopt UX that makes accepting all easy and any other form of consent difficult. Thus, I do not think that any proposal can dismiss the existence of bad actors. So if a purpose is established to allow cookies to be set without an intrusive UX, then what is to stop bad actors from abusing that? I.e. having a cookie that is used for some minimal type of auth, but whose primary purpose is tracking and/or marketing? Surely such a scheme will only work if there is real legal sanction for misrepresenting the purpose of a cookie, so can this be solved purely with technology/specification? regards -- Greg Wilkins <gregw@webtide.com> CTO http://webtide.com
- Proposal: Optional "Purpose" Attribute for Set-Co… João Penteado
- Re: Proposal: Optional "Purpose" Attribute for Se… Greg Wilkins
- Re: Proposal: Optional "Purpose" Attribute for Se… André Cedik
- Re: Proposal: Optional "Purpose" Attribute for Se… Rory Hewitt