- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Tue, 11 Dec 2012 14:29:41 -0800
- To: HTTP Working Group <ietf-http-wg@w3.org>
I think that perhaps the following clause, which appears to be a throwaway, needs an issue to track it. ""A SETTINGS frame [...]. When the server is the sender, the sender can request that configuration data be persisted by the client across SPDY sessions and returned to the server in future communications."" The concern here is that this provides another mechanism by which servers are able to track clients. For the browser guys who have implemented this: What controls, if any, are offered to users over this data? Are users able to clear the store? Are there limits on settings storage? Do you have any data on the value of having clients persist settings? It occurs that it might be possible to verify that a client has a particular settings configuration without having them echo the settings and thereby provide another cookie channel. I hear that hash algorithms are good for this sort of thing. ---Martin
Received on Tuesday, 11 December 2012 22:30:09 UTC