- From: Mark Nottingham <mnot@mnot.net>
- Date: Fri, 4 Mar 2016 11:56:35 +1100
- To: Martin Thomson <martin.thomson@gmail.com>
- Cc: Mike West <mkwst@google.com>, HTTP Working Group <ietf-http-wg@w3.org>
> On 4 Mar 2016, at 11:53 AM, Martin Thomson <martin.thomson@gmail.com> wrote:
>
> On 4 March 2016 at 11:02, Mark Nottingham <mnot@mnot.net> wrote:
>> What do folks -- both other browser implementers and site folks -- think about this?
>
>
> This is a pretty nice hole Google dug for themselves. Though I have
> heard the same from folks at other similarly large and crufty
> organizations; it's a real problem.
FWIW - this has been my observation as well (explicitly not pointing fingers :)
> I have a small suggestion:
>
> if (request.url.scheme == 'http') {
> cookie.priority = 'floor';
> }
>
> Related story, I believe that some of those people run servers that
> forcibly evict all cookies other than those on a small whitelist to
> prevent this sort of craziness. That turns out to have beneficial
> properties.
--
Mark Nottingham https://www.mnot.net/
Received on Friday, 4 March 2016 00:57:50 UTC