- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Fri, 24 Oct 2014 05:29:00 +0200
- To: HTTP Working Group <ietf-http-wg@w3.org>, Mike West <mkwst@google.com>
Just saw this. It's a laudable goal. I'd hope that we could move toward this being a default mode. I'm concerned that this draft is a little backwards when it comes to backward compat. Clients that don't support the restriction will fail open, spilling the cookie contents all over the place. Especially so if the origin attribute is the only attribute and other scope-limiting attributes are not put in place. In addition to that failure mode, I don't see any value in having a signal from the client that a particular cookie is origin-bound. The Cookie header should be sufficient for that. Would it make sense to reverse things: have the Origin-Cookie header field be the Set-Cookie analogue and then include that data the Cookie header field of requests
Received on Friday, 24 October 2014 03:29:28 UTC