W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2015

Re: Revising RFC6265 ("Cookies")

From: Mark Nottingham <mnot@mnot.net>
Date: Sat, 14 Nov 2015 09:08:58 +1100
Cc: "Hodges, Jeff" <jeff.hodges@paypal.com>, HTTP Working Group <ietf-http-wg@w3.org>, Mike West <mkwst@google.com>
Message-Id: <4B0D01A6-DD56-44B4-ACE0-5B45607E91D1@mnot.net>
To: Martin Thomson <martin.thomson@gmail.com>

> On 14 Nov 2015, at 7:42 am, Martin Thomson <martin.thomson@gmail.com> wrote:
> 
> On 13 November 2015 at 12:29, Hodges, Jeff <jeff.hodges@paypal.com> wrote:
>> Also, this means the "intent to implement" includes both user agents and
>> server-sides.
> 
> Generally, yes.  But we're tentatively planning to ship
> leave-secure-cookies-alone unilaterally based on what we are seeing in
> terms of usage.  That is, given the Zheng paper, the breakage is a
> small enough amount that we're willing to make that call.  I'm not
> sure that's true of all browsers, and nothing is final until the code
> has shipped.  I was hoping that we could have that conversation for
> each of these changes.
> 
> For most of the other pieces, some indication of server support would
> make a big difference.  If no server is going to use a feature, even
> in principle, that would make us much less favourably inclined toward
> doing the work.

Yep, that was what I was thinking (and AFAICT leave-secure-cookies-alone is the only one-sided proposal so far).


--
Mark Nottingham   https://www.mnot.net/
Received on Friday, 13 November 2015 22:09:28 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:40 UTC