- From: Zhong Yu <zhong.j.yu@gmail.com>
- Date: Sat, 25 Oct 2014 17:11:44 -0500
- To: Mike West <mkwst@google.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
Set-Cookie3? Just kidding. Although, is it a serious problem that cookies can be set from different origins within a domain? Typically, a domain and its subdomains run code written by the same people. The ability to set cookies across subdomains, ports, and schemes is a useful feature for the people. The problem github faces is not a typical one - there are not very many companies that host user code on subdomains. And it's not too much trouble for these companies to solve the problem with existing devices. Zhong Yu bayou.io On Sat, Oct 25, 2014 at 12:49 AM, Mike West <mkwst@google.com> wrote: > On Fri, Oct 24, 2014 at 11:15 PM, Martin Thomson <martin.thomson@gmail.com> > wrote: >> >> On 24 October 2014 21:42, Mike West <mkwst@google.com> wrote: >> Now you get it :) That seems kludgy, and it's going to hurt a lot >> given the size of the name > > > This is where I wave my hands and say "header compression", and we all nod > wisely, right? :) > > There are two ways I see for doing feature detection: UA sniffing, which is > terrible, or a request header. Reusing the same header seems like a > reasonable way of doing things, but a dedicated (short) hint-style header > might be better. I'd love suggestions. > >> >> (have you considered calling this 'Cake' >> for the sake of brevity?) > > > Happy to. Cake is tastier than cookies, in any event. > >> >> Now, if we are paying this price for feature detection, I think that I >> would really like to see an entirely new mechanism defined. Even a >> small tweak would mitigate attacks like POODLE considerably. Imagine >> if you could randomly mask the contents of a cookie... > > > Hrm. I'm _totally_ on board with exploring a replacement for cookies > entirely (and I think channel ID, origin certs, etc. are already good steps > in that direction). I think we can (and should) do that in parallel with > baby steps towards sanity in the current implementation. > > I see some distinct problems with the way cookies work. I think harmonizing > cookies with the same-origin policy is a nicely minimal way to offer servers > the ability to avoid those problems. I suspect that minimal changes will be > significantly easier to come to agreement on and deploy. > > -mike > > -- > Mike West <mkwst@google.com> > Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 > > Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany > Registergericht und -nummer: Hamburg, HRB 86891 > Sitz der Gesellschaft: Hamburg > Geschäftsführer: Graham Law, Christine Elizabeth Flores > (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) >
Received on Saturday, 25 October 2014 22:12:11 UTC