- From: Mark Nottingham <mnot@mnot.net>
- Date: Fri, 4 Mar 2016 11:56:35 +1100
- To: Martin Thomson <martin.thomson@gmail.com>
- Cc: Mike West <mkwst@google.com>, HTTP Working Group <ietf-http-wg@w3.org>
> On 4 Mar 2016, at 11:53 AM, Martin Thomson <martin.thomson@gmail.com> wrote: > > On 4 March 2016 at 11:02, Mark Nottingham <mnot@mnot.net> wrote: >> What do folks -- both other browser implementers and site folks -- think about this? > > > This is a pretty nice hole Google dug for themselves. Though I have > heard the same from folks at other similarly large and crufty > organizations; it's a real problem. FWIW - this has been my observation as well (explicitly not pointing fingers :) > I have a small suggestion: > > if (request.url.scheme == 'http') { > cookie.priority = 'floor'; > } > > Related story, I believe that some of those people run servers that > forcibly evict all cookies other than those on a small whitelist to > prevent this sort of craziness. That turns out to have beneficial > properties. -- Mark Nottingham https://www.mnot.net/
Received on Friday, 4 March 2016 00:57:50 UTC