Re: Cookies and schemes.
Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com> Tue, 10 March 2020 18:03 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D5DB3A0765 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 10 Mar 2020 11:03:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.75
X-Spam-Level:
X-Spam-Status: No, score=-2.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jQnUsbsZk9ju for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 10 Mar 2020 11:03:16 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 51DA83A077A for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 10 Mar 2020 11:03:13 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1jBjAF-00020J-Gk for ietf-http-wg-dist@listhub.w3.org; Tue, 10 Mar 2020 17:59:35 +0000
Resent-Date: Tue, 10 Mar 2020 17:59:35 +0000
Resent-Message-Id: <E1jBjAF-00020J-Gk@lyra.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <spencerdawkins.ietf@gmail.com>) id 1jBjA1-0001zE-2d for ietf-http-wg@listhub.w3.org; Tue, 10 Mar 2020 17:59:21 +0000
Received: from mail-lj1-x235.google.com ([2a00:1450:4864:20::235]) by titan.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <spencerdawkins.ietf@gmail.com>) id 1jBj9z-0007bg-IH for ietf-http-wg@w3.org; Tue, 10 Mar 2020 17:59:20 +0000
Received: by mail-lj1-x235.google.com with SMTP id u12so11020400ljo.2 for <ietf-http-wg@w3.org>; Tue, 10 Mar 2020 10:59:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Rf7vruCfi/xoG9w9F9widssTEB2DmxIErF3WxufU9/c=; b=m8K8K31kOpvPdD63/shwQRxKauQ0GF045tWFr1nilhIze6lCOj59QnpsdoBdNtOqBW n5b/HUaSxkVyeW2tLwVQXtc7LUsGZ+1yyrxmzHXBaUjKo7GJ+ws26G56Zdh/TF3FZzoZ ljnE/AJpR6yELKQy7p1MRlf+RNosvKvGbO76EZRzlriwEA4hwsCKrUe5EJjs/JW9eMBQ HouukEMXakWMbZQYKEC2EO87Aklt8zp50zPiL1scihCSGmNnn2sV+pG9kWhrotlHbaqN foFmWi55v2+wE2cIcD61CS97+xr9LHxJ2iASS2bpITsy66n9PC0Mnd5LikMqh3VOpqXw VXHg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Rf7vruCfi/xoG9w9F9widssTEB2DmxIErF3WxufU9/c=; b=dNsPtms5id/a6Grk0s1TweDSdfl64QvnbvysNmCleKO1OVLupsYw3qIgknAYkfYdyi Cu/gwoldV7lnZlDdCxhav0Iw20Q1+G1nwZVRB1VMVY/OOLGFQAJ4llHWGmUZYcnNzaG2 CdCeF0kNPDmaMM+iA9jlQwGTW/DUJToV4msujymp9iIxw1HbnY5Wh9Myu50oPNZ91MBB b22MZWUhx9I7cwna8ZS6GPtWjCxba1MKFaexXGRDyJ8ooOo/uKJzbjW91S4Z1uo5jhg6 YSnZzKBsyeJnNF0p012pzvUig10ILZ4MGonM2ICafR2NHtfYa5dfWXDf7eVl4uSQD70p rm9Q==
X-Gm-Message-State: ANhLgQ2RSbynAg1yJoV9q+enwTJmCm4QofqtaA6X3GheT0xLAIxFBhn2 Ao6uXUeuJt3JSXyHJ6xFWLieHnLs+q1eQmCUVvm6bnmL9+s=
X-Google-Smtp-Source: ADFU+vtr2YuQnhtGuLsE5hUcxEQP+5HaqgErklEP35u1svYiX3S3WXXmfB2aWCgMspiaD3G/faSuNw1hBQticdPFVfc=
X-Received: by 2002:a2e:7c04:: with SMTP id x4mr13785292ljc.60.1583863147540; Tue, 10 Mar 2020 10:59:07 -0700 (PDT)
MIME-Version: 1.0
References: <CAKXHy=d260V9_63yNBwLjDG=upZ+HG3iJ8hKbnFc0KU7fCbVcQ@mail.gmail.com> <110aa602-33bd-4fbf-b3af-c5530d95fc44@www.fastmail.com> <CAKXHy=cAiuxSzEFx5TJ8Uzz3mAdXk2yCmq-fi6nLAZ+LRGEoWA@mail.gmail.com> <579453b7-99cf-45cc-809c-c91f29207a1f@www.fastmail.com>
In-Reply-To: <579453b7-99cf-45cc-809c-c91f29207a1f@www.fastmail.com>
From: Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>
Date: Tue, 10 Mar 2020 12:58:41 -0500
Message-ID: <CAKKJt-eZBXn8ZS-QLzvofWYMprPr=QGxcZ84Ffx6hu=91Vmo=A@mail.gmail.com>
To: Martin Thomson <mt@lowentropy.net>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="0000000000004833e405a083e09b"
Received-SPF: pass client-ip=2a00:1450:4864:20::235; envelope-from=spencerdawkins.ietf@gmail.com; helo=mail-lj1-x235.google.com
X-W3C-Hub-Spam-Status: No, score=-4.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1jBj9z-0007bg-IH fe1a0e81eaef0690361d16ac1a2b758e
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Cookies and schemes.
Archived-At: <https://www.w3.org/mid/CAKKJt-eZBXn8ZS-QLzvofWYMprPr=QGxcZ84Ffx6hu=91Vmo=A@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37435
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
A minor comment on this exchange: On Tue, Mar 10, 2020 at 2:56 AM Martin Thomson <mt@lowentropy.net> wrote: > > 2. Perhaps we prefix the non-secure cookie names with `__Non-secure-` > > rather than minting a new header? > > That might work. It's new mechanisms, but not new-header-field new > mechanisms. More below. > I'm not an expert at this, but think I'm following the discussion in this thread. Is "Non-secure" the best term that could be used as a prefix? ISTM that part of the game here may be shaming people into not continuing to use this mechanism for months/years/ever, and "secure/non-secure" seems an awfully overloaded term. Could the prefix be more precise about what's at stake if you continue to use it? Random example unlikely to be the best suggestion: compare the shame of __Non-secure to the shame of __Trivially-Hijackable, if that's the case, and it's the worst accurate thing you can think of. If not, please substitute the worst possible accurate characterization. Make good choices, of course. Best, Spencer
- Cookies and schemes. Mike West
- Re: Cookies and schemes. Willy Tarreau
- Re: Cookies and schemes. Martin Thomson
- Re: Cookies and schemes. Willy Tarreau
- Re: Cookies and schemes. Mike West
- Re: Cookies and schemes. Martin Thomson
- Re: Cookies and schemes. David Benjamin
- Re: Cookies and schemes. Spencer Dawkins at IETF
- Re: Cookies and schemes. Willy Tarreau
- Re: Cookies and schemes. Mike West