- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Wed, 6 Aug 2014 21:09:50 -0700
- To: Greg Wilkins <gregw@intalio.com>
- Cc: Michael Sweet <msweet@apple.com>, Jason Greene <jason.greene@redhat.com>, David Krauss <potswa@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
On 6 August 2014 15:22, Greg Wilkins <gregw@intalio.com> wrote: > We are also currently never indexing set-cookie, but I admit to be confused > about the need to do this or if it can just be without index? Never index is a protection for downstream intermediaries that might mix your set-cookie in with attacker-sourced guesses about the value of the header field. If you have lots of entropy in the field, it is probably safe to allow it to be indexed. Or, if the header field doesn't contain any confidential information, you don't need it. That said, a) you can't really tell mechanically whether those conditions are true, and b) repeating set-cookie with the same value is probably more likely to be a bug than a real thing.
Received on Thursday, 7 August 2014 04:10:17 UTC