- From: Mark Nottingham <mnot@mnot.net>
- Date: Sat, 14 Nov 2015 09:08:58 +1100
- To: Martin Thomson <martin.thomson@gmail.com>
- Cc: "Hodges, Jeff" <jeff.hodges@paypal.com>, HTTP Working Group <ietf-http-wg@w3.org>, Mike West <mkwst@google.com>
> On 14 Nov 2015, at 7:42 am, Martin Thomson <martin.thomson@gmail.com> wrote: > > On 13 November 2015 at 12:29, Hodges, Jeff <jeff.hodges@paypal.com> wrote: >> Also, this means the "intent to implement" includes both user agents and >> server-sides. > > Generally, yes. But we're tentatively planning to ship > leave-secure-cookies-alone unilaterally based on what we are seeing in > terms of usage. That is, given the Zheng paper, the breakage is a > small enough amount that we're willing to make that call. I'm not > sure that's true of all browsers, and nothing is final until the code > has shipped. I was hoping that we could have that conversation for > each of these changes. > > For most of the other pieces, some indication of server support would > make a big difference. If no server is going to use a feature, even > in principle, that would make us much less favourably inclined toward > doing the work. Yep, that was what I was thinking (and AFAICT leave-secure-cookies-alone is the only one-sided proposal so far). -- Mark Nottingham https://www.mnot.net/
Received on Friday, 13 November 2015 22:09:28 UTC