- From: Daniel Stenberg <daniel@haxx.se>
- Date: Sun, 4 Sep 2016 13:05:53 +0200 (CEST)
- To: David Eckel <dvdckl@gmail.com>
- cc: HTTP Working Group <ietf-http-wg@w3.org>, Yves Lafon <ylafon@w3.org>
On Thu, 1 Sep 2016, David Eckel wrote: > Cookie: analyticsId=1;analyticsId=2;__Cookie-Attribute=Path,Domain > Cookie-Attribute: > Path=/,Domain=www.example.com;Path=/index,Domain=.example.com;Path=/,Domain=www.example.com > - Opt-in security means a long road to adoption It's too long road IMO. It'll make every server implementation having to default to non-supporting clients and there will never be 100% compliance so this header will significantly complicate the server (and client) implementations for a very long time (complete deprecating things on the Internet is hard and all that) and yet for any client that wants to avoid that setup they'll just not send the header... This, in an area that has turned out harder to change than most other HTTP areas (remember all the funky cookies RFCs that have been attemped through the years) since (I suspect) server side cookie implementations are so often custom and hand rolled out and are not just half a dozen major implmentations you can upgrade to the latest version and be done with it. So no, I don't see this suggestion as a good road forward. -- / daniel.haxx.se
Received on Sunday, 4 September 2016 11:06:20 UTC