- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Thu, 30 Aug 2018 09:42:23 +1000
- To: Erik Nygren <erik@nygren.org>
- Cc: Mike West <mkwst@google.com>, HTTP Working Group <ietf-http-wg@w3.org>
On Thu, Aug 30, 2018 at 3:25 AM Erik Nygren <erik@nygren.org> wrote: > One approach to consider would be to introduce an HSTS-style model to allow sites to switch defaults to be more sticky in a stateful manner. In particular, to allow specifying that some of the rfc6265bis improvements can be applied to a site in a sticky manner for some time period. See I like that idea. It maintains the existing pipeline for production and consumption, but fixes the defaults problem without adding a parallel mechanism. The failure modes are scary though: if you did rely on broader scoped cookies and didn't realize, then things break (and the browser gets the blame, because it works in $other_browser...). I think that as long as certain cookies can opt-out (notSecure, notHttpOnly), then it might work as well as an entirely new mechanism.
Received on Wednesday, 29 August 2018 23:42:56 UTC