- From: Martin Thomson <mt@lowentropy.net>
- Date: Tue, 10 Mar 2020 09:02:25 +1100
- To: ietf-http-wg@w3.org
On Mon, Mar 9, 2020, at 19:51, Mike West wrote: > https://github.com/mikewest/scheming-cookies proposes two changes: > > 1. We teach cookies about schemes, and lock them to the scheme that set > them (just like every other web-facing storage mechanism). Excellent! To Willy's point about transfer, perhaps we can allow any cookies that are set on an http:// response to follow a redirect to https:// The Sec-Nonsecure-Cookie header field seems like it might not be great long term. Tf the goal is to support temporally-constrained transfer, then binding the cookies to the redirect avoids pulling from previous state. Also, the redirector could have just packed this information into the target URL, so it's not a new tracking vector. Have I missed a key piece of information? Willy, could this work in the cases you understand? > 2. We curtail non-secure schemes' cookies' lifetime by agreeing on a > set of heuristics for a user's "session" on a given site, and culling > cookies when a site's session expires. Also good. The need for heuristics is unfortunate, but I appreciate that you have to do that.
Received on Monday, 9 March 2020 22:02:58 UTC