W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2012

More cookies

From: Martin Thomson <martin.thomson@gmail.com>
Date: Tue, 11 Dec 2012 14:29:41 -0800
Message-ID: <CABkgnnWbgopGfMJVfUJG+jq3aA94RdfkUw0x9sgLOVqm4eGk5g@mail.gmail.com>
To: HTTP Working Group <ietf-http-wg@w3.org>
I think that perhaps the following clause, which appears to be a
throwaway, needs an issue to track it.

""A SETTINGS frame [...]. When the server is the sender, the sender
can request that configuration data be persisted by the client across
SPDY sessions and returned to the server in future communications.""

The concern here is that this provides another mechanism by which
servers are able to track clients.

For the browser guys who have implemented this: What controls, if any,
are offered to users over this data?  Are users able to clear the
store?  Are there limits on settings storage?  Do you have any data on
the value of having clients persist settings?

It occurs that it might be possible to verify that a client has a
particular settings configuration without having them echo the
settings and thereby provide another cookie channel.  I hear that hash
algorithms are good for this sort of thing.

---Martin
Received on Tuesday, 11 December 2012 22:30:09 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 11 December 2012 22:30:20 GMT