Re: Origin cookies from Mike West on 2014-10-27 (ietf-http-wg@w3.org from October to December 2014)

From: Mike West <mkwst@google.com>
Date: Mon, 27 Oct 2014 08:39:36 +0100
To: Martin Thomson <martin.thomson@gmail.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAKXHy=fACGi1B3OXQz5KYBoyJ0E0W_svED1RCcKeSQCPvrPihQ@mail.gmail.com>

Thanks again for your feedback, Martin!

On Sat, Oct 25, 2014 at 9:00 AM, Martin Thomson <martin.thomson@gmail.com>
wrote:

> On 24 October 2014 22:49, Mike West <mkwst@google.com> wrote:
> > This is where I wave my hands and say "header compression", and we all
> nod
> > wisely, right? :)
>
> It's been watered down enough that a big header still does some
> damage.  And your new mechanism won't be in the static table, so you
> still want a short name.  Request header fields are still expensive :(
>

I'm sure we can come up with an alternate syntax. `OC: 1` is probably too
terse, but it would be a minimal example to bikeshed around, if we agree
that such a mechanism is necessary.

> Anything that requires support from both peers to work might as well
> be a little more ambitious.
>

That proves a bit too much, doesn't it? I can't think of a meaningful
change that wouldn't require some level of support from both clients and
servers.

> A simple change would be to require that origin cookies that are set
> with an attribute the client didn't understand must be ignored.  That
> would make it possible to develop new protections without the risks
> I'm concerned about (new scopes of applicability, or things like the
> randomized masking).  That's a modest improvement that could enable
> incremental fixes later.

Hrm. Incremental fixes are enabled by adding explicit support for
as-yet-unknown extensions, as RFC6265 does in the `extension-av` grammar.
In fact, the reason we need a separate header here is that RFC6265 isn't
extensible enough: the `Cookie` header has no provision for metadata.

I see that as an argument for poking a bit at the `Origin-Cookie` header
grammar. It sounds like you might be suggesting that as well?

Those sorts of things aren't really possible
> with Cookie/Set-Cookie, though it might be with Cake/Bake.
>

I would be happy (really!) to devise a new scheme for HTTP state management
with you folks. I think there's lots of room for improvement, and good
ideas floating around.

I'm worried that it will turn into a multi-year slog towards consensus,
however. I believe we'll have more practical impact by defining small steps
towards something better.

That said, your argument that we design those steps in such a way as to
actually lead to something better is well-taken. So let's do that.

I think that's all I'm asking for: new names and some very minor
> tweaks to the grammar and semantics.
>

Can you be a little more concrete here? What names and grammatical/semantic
tweaks would you like to see in this proposal?

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Monday, 27 October 2014 07:40:26 UTC