Re: HPACK opcode bit patterns

On 6 August 2014 15:22, Greg Wilkins <gregw@intalio.com> wrote:
> We are also currently never indexing set-cookie, but I admit to be confused
> about the need to do this or if it can just be without index?


Never index is a protection for downstream intermediaries that might
mix your set-cookie in with attacker-sourced guesses about the value
of the header field.  If you have lots of entropy in the field, it is
probably safe to allow it to be indexed.  Or, if the header field
doesn't contain any confidential information, you don't need it.  That
said, a) you can't really tell mechanically whether those conditions
are true, and b) repeating set-cookie with the same value is probably
more likely to be a bug than a real thing.

Received on Thursday, 7 August 2014 04:10:17 UTC