Re: Cookie-Attribute request header proposal

On Thu, 1 Sep 2016, David Eckel wrote:

> Cookie: analyticsId=1;analyticsId=2;__Cookie-Attribute=Path,Domain
> Cookie-Attribute: 
> Path=/,;Path=/index,;Path=/,

> - Opt-in security means a long road to adoption

It's too long road IMO. It'll make every server implementation having to 
default to non-supporting clients and there will never be 100% compliance so 
this header will significantly complicate the server (and client) 
implementations for a very long time (complete deprecating things on the 
Internet is hard and all that) and yet for any client that wants to avoid that 
setup they'll just not send the header...

This, in an area that has turned out harder to change than most other HTTP 
areas (remember all the funky cookies RFCs that have been attemped through the 
years) since (I suspect) server side cookie implementations are so often 
custom and hand rolled out and are not just half a dozen major implmentations 
you can upgrade to the latest version and be done with it.

So no, I don't see this suggestion as a good road forward.



Received on Sunday, 4 September 2016 11:06:20 UTC