Re: RFC6265 - Difference between RFC and implementation with regards to host-only-flag from Mark Nottingham on 2016-06-22 (ietf-http-wg@w3.org from April to June 2016)

From: Mark Nottingham <mnot@mnot.net>
Date: Wed, 22 Jun 2016 16:36:15 +1000
To: Matthew Cox <macox@microsoft.com>
Cc: Mike West <mkwst@google.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-Id: <171D465D-7A6D-46C8-844C-32C9E6F9F2DD@mnot.net>

I think we can treat this as the other specific issue found, and discuss it as part of the "core" draft, rather than requiring a seperate I-D.

Cheers,


> On 22 Jun 2016, at 2:19 AM, Matthew Cox <macox@microsoft.com> wrote:
> 
> Thanks Mike!
>  
> I have already filed an issue: https://github.com/httpwg/http-extensions/issues/199.
>  
> Please let me know if something else needs to be done to get this updated.
>  
> Thanks,
>  
> Matthew
>  
> From: Mike West [mailto:mkwst@google.com] 
> Sent: Tuesday, June 21, 2016 5:42 AM
> To: Matthew Cox <macox@microsoft.com>; Mark Nottingham <mnot@mnot.net>
> Cc: ietf-http-wg@w3.org
> Subject: Re: RFC6265 - Difference between RFC and implementation with regards to host-only-flag
>  
> On Fri, Jun 3, 2016 at 6:31 PM, Matthew Cox <macox@microsoft.com> wrote:
> We noticed that the host-only-flag behavior is different in most browsers vs the RFC, and I’d like to get this updated with new work being done on the cookie RFC.
> 
>  
> 
> Given these two headers in a response from a request to http://contoso.com/:
> 
>  
> 
> Set-Cookie: mycookie=nothostonly; domain=contoso.com
> 
> Set-Cookie: mycookie=hostonly
> 
>  
> 
> You would expect one cookie based on RFC 6265 section 5.3 where the cookie is defined by the name, domain, and path.
> 
>  
> 
> However, most browsers will create two cookies since they take host-only-flag into account when looking up/creating a cookie.
> 
>  
> 
> Based on this I’d like to update section 5.3 and 4.1.2 to add host-only-flag to the list of properties that make a unique cookie in the store.
> 
>  
> This seems like a reasonable change to me, and I believe it matches Chrome's existing behavior.
>  
> What’s the best way to get this added?  Should I create an issue in GitHub?
> 
>  
> I'd say file an issue against https://github.com/httpwg/http-extensions/issues; not sure if this is a substantial enough change to require more than that. Mark?
>  
> -mike
> 
> -mike
>  
> On Fri, Jun 3, 2016 at 6:31 PM, Matthew Cox <macox@microsoft.com> wrote:
> We noticed that the host-only-flag behavior is different in most browsers vs the RFC, and I’d like to get this updated with new work being done on the cookie RFC.
>  
> Given these two headers in a response from a request to http://contoso.com/:
>  
> Set-Cookie: mycookie=nothostonly; domain=contoso.com
> Set-Cookie: mycookie=hostonly
>  
> You would expect one cookie based on RFC 6265 section 5.3 where the cookie is defined by the name, domain, and path.
>  
> However, most browsers will create two cookies since they take host-only-flag into account when looking up/creating a cookie.
>  
> Based on this I’d like to update section 5.3 and 4.1.2 to add host-only-flag to the list of properties that make a unique cookie in the store.
>  
> What’s the best way to get this added?  Should I create an issue in GitHub?
>  
> Thanks,
>  
> Matthew

--
Mark Nottingham   https://www.mnot.net/

Received on Wednesday, 22 June 2016 06:36:44 UTC