W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2008

Re: Fwd: I-D Action:draft-pettersen-cookie-v2-03.txt

From: Amit Klein <aksecurity@gmail.com>
Date: Sun, 09 Nov 2008 22:36:09 +0200
Message-ID: <491749B9.8040304@gmail.com>
To: "Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com>
CC: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>

Hi

Not sure if this is the right forum to ask questions and/or suggest 
improvements. If it isn't - I beg forgiveness and guide ;-)

To the point:

Section 2 defines "path-matching" as:
"For two strings that represent paths, P1 and P2, P1 path-matches P2 if 
P2 is a prefix of P1 (including the case where P1 and P2 string- compare 
equal). Thus, the string /tec/waldo path-matches /tec."

And I don't see any requirement in the document for the path to end with 
slash (neither in $Path, nor in Path).

So if I understand correctly, this means that /technology path-matches 
/tec. Is this the desired behavior? I can think of operability issues 
(e.g. two applications residing on the same server, one is called /app 
and the other /app2). There may also be security implications (though in 
general, I don't believe in per-path security: 
http://www.webappsec.org/lists/websecurity/archive/2006-03/msg00000.html).

BTW - typo? in section 3.3.2:
"A Set-Cookie2 from a path /example1/example1 for SubPath=exam will be 
accepted for the path /example/exam" - I think this should be:
"A Set-Cookie2 from a path /example1/example1 for SubPath=exam will be 
accepted for the path /example1/exam"

Thanks,
-Amit


Yngve N. Pettersen (Developer Opera Software ASA) wrote:
>
>
> ------- Forwarded message -------
> From: Internet-Drafts@ietf.org
> To: i-d-announce@ietf.org
> Subject: I-D Action:draft-pettersen-cookie-v2-03.txt
> Date: Mon, 03 Nov 2008 23:15:01 +0100
>
> A New Internet-Draft is available from the on-line Internet-Drafts 
> directories.
>
>     Title           : HTTP State Management Mechanism v2
>     Author(s)       : Y. Pettersen
>     Filename        : draft-pettersen-cookie-v2-03.txt
>     Pages           : 31
>     Date            : 2008-11-03
>
> This document specifies a way to create a stateful session with
> Hypertext Transfer Protocol (HTTP) requests and responses.  It
> describes three HTTP headers, Cookie, Cookie2, and Set-Cookie2, which
> carry state information between participating origin servers and user
> agents.  The method described here differs from both Netscape's
> Cookie proposal [Netscape], and [RFC2965], but it can, provided some
> requirements are met, interoperate with HTTP/1.1 user agents that use
> Netscape's method.  (See the HISTORICAL section.)
>
> This document defines new rules for how cookies can be shared between
> servers within a domain.  These new rules are intended to address
> security and privacy concerns that are difficult to counter for
> clients implementing Netscape's proposed rules or the rules specified
> by RFC 2965.
>
> This document reflects implementation experience with RFC 2965 and
> obsoletes it.
>
> A URL for this Internet-Draft is:
> http://www.ietf.org/internet-drafts/draft-pettersen-cookie-v2-03.txt
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
> Below is the data which will enable a MIME compliant mail reader
> implementation to automatically retrieve the ASCII version of the
> Internet-Draft.
>
>
>
Received on Sunday, 9 November 2008 20:36:59 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:57 GMT