Re: Origin cookies

On Fri, Oct 24, 2014 at 11:15 PM, Martin Thomson <martin.thomson@gmail.com>
wrote:

> On 24 October 2014 21:42, Mike West <mkwst@google.com> wrote:
> Now you get it :)  That seems kludgy, and it's going to hurt a lot
> given the size of the name


This is where I wave my hands and say "header compression", and we all nod
wisely, right? :)

There are two ways I see for doing feature detection: UA sniffing, which is
terrible, or a request header. Reusing the same header seems like a
reasonable way of doing things, but a dedicated (short) hint-style header
might be better. I'd love suggestions.


> (have you considered calling this 'Cake'
> for the sake of brevity?)
>

Happy to. Cake is tastier than cookies, in any event.


> Now, if we are paying this price for feature detection, I think that I
> would really like to see an entirely new mechanism defined.  Even a
> small tweak would mitigate attacks like POODLE considerably.  Imagine
> if you could randomly mask the contents of a cookie...
>

Hrm. I'm _totally_ on board with exploring a replacement for cookies
entirely (and I think channel ID, origin certs, etc. are already good steps
in that direction). I think we can (and should) do that in parallel with
baby steps towards sanity in the current implementation.

I see some distinct problems with the way cookies work. I think harmonizing
cookies with the same-origin policy is a nicely minimal way to offer
servers the ability to avoid those problems. I suspect that minimal changes
will be significantly easier to come to agreement on and deploy.

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)