W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2015

Re: Revising RFC6265 ("Cookies")

From: Martin Thomson <martin.thomson@gmail.com>
Date: Fri, 13 Nov 2015 12:42:58 -0800
Message-ID: <CABkgnnUUfE4Rmytxn2W7SD6LMzw=WVezbnJ4SWQkShaoLAfbkw@mail.gmail.com>
To: "Hodges, Jeff" <jeff.hodges@paypal.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>, Mike West <mkwst@google.com>
On 13 November 2015 at 12:29, Hodges, Jeff <jeff.hodges@paypal.com> wrote:
> Also, this means the "intent to implement" includes both user agents and
> server-sides.

Generally, yes.  But we're tentatively planning to ship
leave-secure-cookies-alone unilaterally based on what we are seeing in
terms of usage.  That is, given the Zheng paper, the breakage is a
small enough amount that we're willing to make that call.  I'm not
sure that's true of all browsers, and nothing is final until the code
has shipped.  I was hoping that we could have that conversation for
each of these changes.

For most of the other pieces, some indication of server support would
make a big difference.  If no server is going to use a feature, even
in principle, that would make us much less favourably inclined toward
doing the work.
Received on Friday, 13 November 2015 20:43:27 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:40 UTC