W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2016

Re: Harmonizing draft-west-cookie-prefixes-05 with the web origin concept

From: Mike West <mkwst@google.com>
Date: Thu, 7 Jan 2016 16:41:47 +0100
Message-ID: <CAKXHy=cz9x5VLfQd1S3PooGfdRWu00aMxxhW8fNq+MNi-5YsPQ@mail.gmail.com>
To: Willy Tarreau <w@1wt.eu>, "Emily Stark (Dunn)" <estark@google.com>, Elliott Sprehn <esprehn@google.com>
Cc: Adam Barth <w3c@adambarth.com>, httpbis <ietf-http-wg@w3.org>
On Wed, Dec 23, 2015 at 6:48 AM, Willy Tarreau <w@1wt.eu> wrote:

> Based on Mike's and your proposal, I'm wondering if a solution would not
> be to use special name cookies in addition to the regular ones to pass
> back *all* attributes and even to help define new attributes. We could
> have something like this :
>   Set-Cookie: __SID=12345; secure; path=/; domain=example.com;
>   Cookie: __SID=12345; __attr_secure__SID=1; __attr_path__SID=/;
> __attr_domain__SID=example.com; __attr_origin__SID=https://example.com
> etc... The idea being that "__attr_<attribute_name>" being prefixed in
> front of the cookie name in requests so that the client can pass the
> attributes it learned. This way, a cookie learned from the wrong
> location (eg: injected from HTTP, JS or anything) could be detected
> and replaced by the server. And it still provides unicity on the cookie
> names and value in the request.

Elliott (CC'd) proposed something similar in
with a special cookie being sent along with the request that contained all
the attributes (and presumably scopes) of the rest of the cookies. We
didn't spend a whole lot of time with that proposal, as our intuition was
that such a scheme would require some amount of work for each developer to
parse and enforce on their own, while prefixes were a pragmatic solution
that the user agent could enforce for everyone. It might well be worth
picking up (in addition to prefixes?) if there's interest in this group.

Received on Thursday, 7 January 2016 15:42:36 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 22 March 2016 12:47:10 UTC