- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Fri, 13 Nov 2015 12:42:58 -0800
- To: "Hodges, Jeff" <jeff.hodges@paypal.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>, Mike West <mkwst@google.com>
On 13 November 2015 at 12:29, Hodges, Jeff <jeff.hodges@paypal.com> wrote: > Also, this means the "intent to implement" includes both user agents and > server-sides. Generally, yes. But we're tentatively planning to ship leave-secure-cookies-alone unilaterally based on what we are seeing in terms of usage. That is, given the Zheng paper, the breakage is a small enough amount that we're willing to make that call. I'm not sure that's true of all browsers, and nothing is final until the code has shipped. I was hoping that we could have that conversation for each of these changes. For most of the other pieces, some indication of server support would make a big difference. If no server is going to use a feature, even in principle, that would make us much less favourably inclined toward doing the work.
Received on Friday, 13 November 2015 20:43:27 UTC