Re: draft-west-cookie-prefixes-05 comments from Mike West on 2015-12-03 (ietf-http-wg@w3.org from October to December 2015)

From: Mike West <mkwst@google.com>
Date: Thu, 3 Dec 2015 15:16:57 +0100
To: Eitan Adler <lists@eitanadler.com>
Cc: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAKXHy=fj9MC-Dy1C3AWtBK6+n=+kP_TOeycJvNGJ77KkXuEq+A@mail.gmail.com>

Hi Eitan!

On Thu, Dec 3, 2015 at 1:49 AM, Eitan Adler <lists@eitanadler.com> wrote:

> I have some comments about the draft-west-cookie-prefixes-05 draft:
>

Great, thank you for taking a look!

> The syntax is ugly, but extensible without having to introduce
> additional extension points.

I'd be interested in hearing about the use cases for other prefixes, but
I'm hopeful that we won't need/want to add many prefixes. The two defined
in https://tools.ietf.org/html/draft-west-cookie-prefixes seem to close the
most pressing gaps.

> I'm concerned about the use of __ for both
> regular cookies and special handling cookies (such as __host and __secure).
>

What do you mean here? You're concerned that magic cookies like
(`__SECURE-whatever`) and boring cookies (like `__utma`) can both start
with "__"?

> I'd like to see the prefix changed to one which it can be specified
> that conformant implementations MUST NOT use a prefix other other than
> those defined by an RFC.
>
> Perhaps __-SECURE and __-HOST can be used? note the additional "-"
>

I don't understand the concern. What dangers do you see in the current
syntax? How does adding an additional `-` resolve them?

-mike

Received on Thursday, 3 December 2015 14:17:45 UTC