Re: Calls for Adoption -- Cookie-Related Specifications from Martin Thomson on 2015-12-23 (ietf-http-wg@w3.org from October to December 2015)

From: Martin Thomson <martin.thomson@gmail.com>
Date: Wed, 23 Dec 2015 14:32:56 +1100
To: Remy Lebeau <remy@lebeausoftware.org>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CABkgnnXzrUV74nKVdBJ=Kr6Ji_J9jieMMr+TA2UUL4RRBT2GyA@mail.gmail.com>

leave-secure-cookies-alone is a no-brainer for me.  I think that
Firefox intends to implement it soon-ish, but I'm not tracking it
closely.

I have more trouble with the prefixes.  However, I think that the
working group should still adopt the draft.

If we have LSCA, then I find the incremental value of __Secure- to be
limited.  Unless I'm being daft, isn't __Secure- just a safeguard
against forgetting to include the Secure flag when setting the cookie?

The choices for __Host- are good from a host perspective, but the Path
restriction doesn't carry any justification and I can't think of any
justification.

Upthread, Mike states:
> I think https://tools.ietf.org/html/draft-west-origin-cookies-01 is more or less completely obviated by cookie prefixes.

This isn't correct because __Host- doesn't bind to the port number.
Though maybe it should (or we should define an __Origin- prefix
instead).

On 23 December 2015 at 08:45, Remy Lebeau <remy@lebeausoftware.org> wrote:
> I am the primary maintainer of Indy, a popular Internet protocols library
> for the Delphi/C++Builder community.  I implemented most of RFC 6265 back in
> 2011 when it was still a draft, and then finalized in 2012.  I have not
> updated my implementation since.  I, too, would like to wait for the latest
> drafts to be finalized before I start making more code changes.
>
> Remy Lebeau
> Lebeau Software
>
>
> On 12/21/2015 10:18 PM, Mark Nottingham wrote:
>>
>> As discussed earlier
>> <http://www.w3.org/mid/FAF2C2E8-0A6A-4C34-B4C4-57190AAE118D@mnot.net>, we
>> are going to use a Call for Adoption process to assure that what we specify
>> in terms of changes to Cookies -- if anything -- will actually get
>> implemented.
>>
>> Based on what we've talked about so far, I believe two specifications are
>> ready for consideration:
>>
>> * https://tools.ietf.org/html/draft-west-leave-secure-cookies-alone-04
>> * https://tools.ietf.org/html/draft-west-cookie-prefixes-05
>>
>> So, please discuss on-list:
>>
>> 1) Your intent to implement these specifications (or lack thereof).
>> 2) Your support for these specifications (or lack thereof).
>> 3) Any other Internet-Drafts that you believe we should consider in a
>> revision of the Cookie specification.
>>
>> We'll talk about this over the next few weeks, and develop a plan for
>> RFC6265bis based upon those discussions.
>>
>> Regards,
>>
>> --
>> Mark Nottingham   https://www.mnot.net/
>>
>>
>
>

Received on Wednesday, 23 December 2015 03:33:30 UTC