W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2014

Re: HPACK opcode bit patterns

From: Martin Thomson <martin.thomson@gmail.com>
Date: Wed, 6 Aug 2014 21:09:50 -0700
Message-ID: <CABkgnnXBD4cUFmuGkT+XP3dBWfv6iLW5Q4SG0Kq4gwrdqrTriA@mail.gmail.com>
To: Greg Wilkins <gregw@intalio.com>
Cc: Michael Sweet <msweet@apple.com>, Jason Greene <jason.greene@redhat.com>, David Krauss <potswa@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
On 6 August 2014 15:22, Greg Wilkins <gregw@intalio.com> wrote:
> We are also currently never indexing set-cookie, but I admit to be confused
> about the need to do this or if it can just be without index?


Never index is a protection for downstream intermediaries that might
mix your set-cookie in with attacker-sourced guesses about the value
of the header field.  If you have lots of entropy in the field, it is
probably safe to allow it to be indexed.  Or, if the header field
doesn't contain any confidential information, you don't need it.  That
said, a) you can't really tell mechanically whether those conditions
are true, and b) repeating set-cookie with the same value is probably
more likely to be a bug than a real thing.
Received on Thursday, 7 August 2014 04:10:17 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 30 March 2016 09:57:10 UTC