Re: Defining First and Third Party Cookies from Mike West on 2016-01-18 (ietf-http-wg@w3.org from January to March 2016)

From: Mike West <mkwst@google.com>
Date: Mon, 18 Jan 2016 07:38:51 +0100
To: Mark Nottingham <mnot@mnot.net>, Mark Goodwin <mgoodwin@mozilla.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAKXHy=dfpO-49Q86X1y+rRcm8Ax=PyqryMy+W3SPdDy-+ShTrg@mail.gmail.com>

On Mon, Jan 18, 2016 at 3:52 AM, Mark Nottingham <mnot@mnot.net> wrote:

> It doesn't look like there's enough interest in Mike's first-party cookie
> draft to consider a CfA for it yet.
>

I do plan to ship an implementation of first-party-only in Chrome in the
relatively near future; I think it's a solid measure against CSRF, and
folks like GitHub are already experimenting with Chrome's flagged
implementation. I'm hopeful that Mozilla will find time to do the same.
+mgoodwin in the hopes that he can pass on Mozilla's perspective.


> However, I'm wondering if it would be useful to pull the definitions of
> first and third party cookies out of that and into CookieBIS, since they're
> currently not defined anywhere normatively.
>
> Specifically:
>
> https://tools.ietf.org/html/draft-west-first-party-cookies-04#section-2.1
>
> What do people think?
>

I think that's a pretty reasonable suggestion if there's not enough
interest in the rest of the proposal.

-mike

Received on Monday, 18 January 2016 06:39:41 UTC