W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2016

Re: Defining First and Third Party Cookies

From: Mike West <mkwst@google.com>
Date: Mon, 18 Jan 2016 07:38:51 +0100
Message-ID: <CAKXHy=dfpO-49Q86X1y+rRcm8Ax=PyqryMy+W3SPdDy-+ShTrg@mail.gmail.com>
To: Mark Nottingham <mnot@mnot.net>, Mark Goodwin <mgoodwin@mozilla.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
On Mon, Jan 18, 2016 at 3:52 AM, Mark Nottingham <mnot@mnot.net> wrote:

> It doesn't look like there's enough interest in Mike's first-party cookie
> draft to consider a CfA for it yet.

I do plan to ship an implementation of first-party-only in Chrome in the
relatively near future; I think it's a solid measure against CSRF, and
folks like GitHub are already experimenting with Chrome's flagged
implementation. I'm hopeful that Mozilla will find time to do the same.
+mgoodwin in the hopes that he can pass on Mozilla's perspective.

> However, I'm wondering if it would be useful to pull the definitions of
> first and third party cookies out of that and into CookieBIS, since they're
> currently not defined anywhere normatively.
> Specifically:
> https://tools.ietf.org/html/draft-west-first-party-cookies-04#section-2.1
> What do people think?

I think that's a pretty reasonable suggestion if there's not enough
interest in the rest of the proposal.

Received on Monday, 18 January 2016 06:39:41 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 22 March 2016 12:47:10 UTC