IETF Logo Mail Archive

Re: Proposal: Cookie Priorities

Matthew Kerwin <matthew@kerwin.net.au> Mon, 07 March 2016 21:56 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfc.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfc.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfc.amsl.com (Postfix) with ESMTP id 6DBC81CDC3C for <ietfarch-httpbisa-archive-bis2Juki@ietfc.amsl.com>; Mon, 7 Mar 2016 13:56:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.921
X-Spam-Level:
X-Spam-Status: No, score=-6.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfc.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.41]) by localhost (ietfc.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1SuIRoy_CWgo for <ietfarch-httpbisa-archive-bis2Juki@ietfc.amsl.com>; Mon, 7 Mar 2016 13:56:20 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfc.amsl.com (Postfix) with ESMTPS id B0AB21CDC12 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 7 Mar 2016 13:56:20 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1ad33D-0004lI-3G for ietf-http-wg-dist@listhub.w3.org; Mon, 07 Mar 2016 21:50:51 +0000
Resent-Date: Mon, 07 Mar 2016 21:50:51 +0000
Resent-Message-Id: <E1ad33D-0004lI-3G@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <phluid61@gmail.com>) id 1ad335-0004kX-Ab for ietf-http-wg@listhub.w3.org; Mon, 07 Mar 2016 21:50:43 +0000
Received: from mail-oi0-f45.google.com ([209.85.218.45]) by lisa.w3.org with esmtps (TLS1.2:RSA_ARCFOUR_SHA1:128) (Exim 4.80) (envelope-from <phluid61@gmail.com>) id 1ad332-0005b2-Bl for ietf-http-wg@w3.org; Mon, 07 Mar 2016 21:50:42 +0000
Received: by mail-oi0-f45.google.com with SMTP id r187so89379676oih.3 for <ietf-http-wg@w3.org>; Mon, 07 Mar 2016 13:50:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc; bh=GswAXAhar65SmjURp1xdaNy0n8MfwhKuS9sZXcJ8p98=; b=ZwKKX3cXgXKP8v+qxqNk20/AFrPqs2bexKpZHTOTAWJtx7cExc/zchP8eJP18LpGwV dQTr/KE88vy+wvV2vOt3O9a1CZAON64tkpgpi7JyDFunRfMjCcrjnbBPF8ekw+DfPLay /ogGYEnY6LLrRIHOcsA5q57FYDaZO0VpxuRkzxTCfllV9khxdUPHCkjeoLF1CNIlst64 JKo4BgwfW5peeEZlnOeZ/307rhedXCosWkvGIFQ8vLNkcWJAd5jKksqTlkAZpEMaYNOF k/08lGB0JauJzIwxSDu9nmYZ1qm4ycsgvxKLdfsNG2eUz+ck5olFlQbsIPAuI0xpxxI/ TAHA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:date :message-id:subject:from:to:cc; bh=GswAXAhar65SmjURp1xdaNy0n8MfwhKuS9sZXcJ8p98=; b=Ev6VDW4++rt/UJgzXDlfgELtqsGB7xB0EfBarZLDbdRA4/qzgD8WRzyD9LHDuMKBAO Iy3id0nGHJ6T20Xndo4Zn+WqBmd9HRsdZAFUgGRpehecWsSEppUOE6dQg9mLVR32TBPz ns6EjGOlay//zmy+Gr6QCFp1yJqdH2BgWVF4EvkFa1E7LgqUfVtqKd+dNbAQmuwAWOt0 5i5c+JyDlDNBr2iLtp3mjAxM700FDh/dlY7153YvKDuz0Yq12l9ZXP/w0L/1GMO+2s/a lUCVqi3VC6njSA7pzkqzY1HYfMJA0QCwxRGArKLaLFvU4kweHYL6uH6g/CKCGmCr9xur dzKg==
X-Gm-Message-State: AD7BkJKqpSVKxbOrYIjGzDFKj7tCjTh9pO174x2c89VPK7zcrkxbopgpUtkCmUgTSyCwIzuXLtcjK65CwZ5AOQ==
MIME-Version: 1.0
X-Received: by 10.202.232.141 with SMTP id f135mr6910424oih.95.1457387414114; Mon, 07 Mar 2016 13:50:14 -0800 (PST)
Sender: phluid61@gmail.com
Received: by 10.202.181.10 with HTTP; Mon, 7 Mar 2016 13:50:13 -0800 (PST)
Received: by 10.202.181.10 with HTTP; Mon, 7 Mar 2016 13:50:13 -0800 (PST)
In-Reply-To: <CAKXHy=fZkRnThojTU8V9s-Vyps8jG3xOTEF-yKrDs9cqh546mg@mail.gmail.com>
References: <CAKXHy=dvxE5f25_xx3mKTc+XRDU_Hp=uFDy-iL-_c0s+xHGydw@mail.gmail.com> <alpine.DEB.2.20.1603070855070.25615@tvnag.unkk.fr> <CAKXHy=fZkRnThojTU8V9s-Vyps8jG3xOTEF-yKrDs9cqh546mg@mail.gmail.com>
Date: Tue, 08 Mar 2016 07:50:13 +1000
X-Google-Sender-Auth: CCX4z3bSDWM8hO9dePUSwKd5lnQ
Message-ID: <CACweHNB0dOrBFxL6HMTx4o_8-qVFSrRD4C3pARHydStLyuV=gw@mail.gmail.com>
From: Matthew Kerwin <matthew@kerwin.net.au>
To: Mike West <mkwst@google.com>
Cc: Mark Nottingham <mnot@mnot.net>, ietf-http-wg@w3.org
Content-Type: multipart/alternative; boundary="001a11408ca01e5616052d7c7368"
Received-SPF: pass client-ip=209.85.218.45; envelope-from=phluid61@gmail.com; helo=mail-oi0-f45.google.com
X-W3C-Hub-Spam-Status: No, score=-5.1
X-W3C-Hub-Spam-Report: AWL=-0.783, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: lisa.w3.org 1ad332-0005b2-Bl f92aba551dfd767e3590576141019e04
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Proposal: Cookie Priorities
Archived-At: <http://www.w3.org/mid/CACweHNB0dOrBFxL6HMTx4o_8-qVFSrRD4C3pARHydStLyuV=gw@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/31221
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On 07/03/2016 7:34 PM, "Mike West" <mkwst@google.com> wrote:
>
> Also, just so it's clear: the `priority` attribute is only considered in
the context of a single domain. We don't discard `example.com`'s "low"
priority cookies in order to keep `google.com`'s "high" priority cookies.
We only consider priority when determining which of a particular domain's
to evict, once we know that we need to evict a few. It is quite limited in
scope, and does not override any of the other mechanisms which might cause
a cookie to be removed. In particular, `priority=high` does not change
cookie expiration. I don't think it's fair at all to allude to it as a
supercookie.
>
>> Regarding "Priority=Low": this allows/encourages people to add even more
cookies, because "they're low priority, so they're less harmful." Telling
people to add a bunch of fluffy cookies because 'they can be pruned if
there are too many' doesn't seem like an improvement to me. Better advice
would be: don't send so much cruft in cookies.
>
>
> Given that `priority` only comes into play when cookies are evicted for
exceeding a domain's limit, it doesn't appear that developers have needed
much encouragement. :)
>
> In the particular set of cases I'm concerned with, the problem isn't a
single developer or even a single application stuffinh a user's cookie jar
with 150+ cookies, but a collusion of multiple applications on a single
registrable domain. For each individual application, cookies might be
totally legitimate and not at all crufty; that doesn't change the overall
impact on the domain.
>

Doesn't that last paragraph counter the previous a bit? You don't discard
example.com's low cookies to keep google.com's high ones, but you evict
google.com/foo's low ones to keep google.com/bar's high ones. Even though
the foo and bar teams are clearly independent of each other (else surely
they could synergise their cookies a bit better in the first place.)

How many domains host 150 completely independent apps that the user is
actively logged into simultaneously? Even 75? Hell, even 35? And four-five
cookies per app is pushing what I'd normally consider reasonable, we're
definitely pushing into cruft territory here.

Maybe I'm too conservative.

If the wg/community decides that fixing the problem is intractible, then
sure, patch the symptoms -- but please take care to do it in a way that
doesn't make things worse.

> [...] it doesn't appear that developers have needed much encouragement.

What if the current state of things is just not making it worse?

Cheers

v2.23.0 | Report a Bug | By Email