- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Wed, 21 Oct 2015 15:05:31 -0700
- To: HTTP Working Group <ietf-http-wg@w3.org>, Mike West <mkwst@google.com>
https://tools.ietf.org/html/draft-west-leave-secure-cookies-alone-01 I realize that we haven't discussed this at all, but it seems like a no-brainer to me. That is, if someone (Mike?) has a satisfactory answer to this question: do you know what level of breakage is this going to cause? I have heard that this misfeature is relied upon by some non-trivial number of sites. For me, as long I can be satisfied that the breakage is extremely low, or that it will soon be, then that's sufficient. However, a non-trivial amount of bustage will likely prevent us from deploying a change like this. The authors of the paper recommended that non-secure cookies be simply given less precedence, so that they could not override cookies set by their secure brethren. That seems far less likely to cause compatibility issues. But I do prefer the change in the draft, if it can be made to stick. Either way, I'd support working on neutering this class of attacks.
Received on Wednesday, 21 October 2015 22:06:00 UTC