W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2015

Re: draft-west-cookie-prefixes-05 comments

From: Martin Thomson <martin.thomson@gmail.com>
Date: Fri, 4 Dec 2015 15:25:45 +1100
Message-ID: <CABkgnnWa9vCa+kA3K5vfkq9HnxZQzh8-4E3tj8KhLxgVNGGx2A@mail.gmail.com>
To: Eitan Adler <lists@eitanadler.com>
Cc: Mike West <mkwst@google.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Is this a risk that can be mitigated by selecting another character,
say '*' or '~'?  I know that people like to use characters that are
valid identifiers in their language of choice, which biases toward '_'
and maybe sometimes '-'.  But there are other characters that can be
used in cookie names.

Just looking at the definition for token, I see: !#$%'*+.^|~ as all
being valid.  Obviously, RFC 2068 attached the semblance of a semantic
to '$', so that might be a bit of a mistake, as noted, but absent
information, I'd suggest that you could easily use ~~SECURE=foo and
grab the entire namespace after ~~ (or some other sequence of
characters that look like swearwords...)

On 4 December 2015 at 01:47, Eitan Adler <lists@eitanadler.com> wrote:
> On 3 December 2015 at 09:16, Mike West <mkwst@google.com> wrote:
>> Hi Eitan!
>> On Thu, Dec 3, 2015 at 1:49 AM, Eitan Adler <lists@eitanadler.com> wrote:
>>> I have some comments about the draft-west-cookie-prefixes-05 draft:
>> Great, thank you for taking a look!
>>> The syntax is ugly, but extensible without having to introduce
>>> additional extension points.
>> I'd be interested in hearing about the use cases for other prefixes, but I'm
>> hopeful that we won't need/want to add many prefixes. The two defined in
>> https://tools.ietf.org/html/draft-west-cookie-prefixes seem to close the
>> most pressing gaps.
> Ideally we won't need any other prefixes.  That said, the RFC should
> be explicit about this.
>>> I'm concerned about the use of __ for both
>>> regular cookies and special handling cookies (such as __host and
>>> __secure).
>> What do you mean here? You're concerned that magic cookies like
>> (`__SECURE-whatever`) and boring cookies (like `__utma`) can both start with
>> "__"?
> Yes. See below.
>>> I'd like to see the prefix changed to one which it can be specified
>>> that conformant implementations MUST NOT use a prefix other other than
>>> those defined by an RFC.
>>> Perhaps __-SECURE and __-HOST can be used? note the additional "-"
>> I don't understand the concern. What dangers do you see in the current
>> syntax? How does adding an additional `-` resolve them?
> When some prefixes can cause semantic changes and others are treated
> as special it causes complexity in parsing, and in general
> understanding of the system.  The proposal to add a "-" or any other
> not-currently-used prefix is to make it clear that the prefix has
> special meaning.
> In other words its the difference between
>  - All cookies that begin with "__-" are special
> vs
> - Some cookies that begin with __, __SECURE, and __HOST, have special
> meaning, but most don't.
> This isn't a purely technical argument -  no known implementations
> will break - but an argument to reduce complexity.
> Another concern is that in the unlikely event we will want another
> prefix other than SECURE or HOST we won't need to scour the web to
> ensure that the newly defined word isn't already used.
> --
> Eitan Adler
Received on Friday, 4 December 2015 04:26:14 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:40 UTC