W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2015

Re: draft-west-cookie-prefixes-05 comments

From: Matthew Kerwin <matthew@kerwin.net.au>
Date: Fri, 4 Dec 2015 15:21:12 +1000
Message-ID: <CACweHNAkRxRG6pyOnnUt=_4Bqu2Gs0N=JQYtbn68iGqfPoV5+w@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Eitan Adler <lists@eitanadler.com>, Mike West <mkwst@google.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
On 4 December 2015 at 14:25, Martin Thomson <martin.thomson@gmail.com>

> Is this a risk that can be mitigated by selecting another character,
> say '*' or '~'?  I know that people like to use characters that are
> valid identifiers in their language of choice, which biases toward '_'
> and maybe sometimes '-'.  But there are other characters that can be
> used in cookie names.
> Just looking at the definition for token, I see: !#$%'*+.^|~ as all
> being valid.  Obviously, RFC 2068 attached the semblance of a semantic
> to '$', so that might be a bit of a mistake, as noted, but absent
> information, I'd suggest that you could easily use ~~SECURE=foo and
> grab the entire namespace after ~~ (or some other sequence of
> characters that look like swearwords...)
​Hah, ~~SECURE ​ looks like it says "approximately secure." I like it.

If it's really an issue, I think it makes the most sense to choose
something that isn't valid in any language of choice, since there's a good
chance someone has used all the valid-looking ones somewhere in some hacky

  Matthew Kerwin
Received on Friday, 4 December 2015 05:21:40 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:40 UTC