Re: Formalizing the HTTP State Tokens proposal.

5.1.  Attach HTTP State Tokens to a request

So Sec-Http-State header field is added also to requests for static sites, which do not need state.


Sec-Http-State-Options: delivery=same-origin

sure help reduce extra Sec-Http-State: header fields to be sent 
(for example static resources which are references on html page, 
 if they use another origin.)

However I suggest

Sec-Http-State-Options: delivery=none

so that static site can opt-out that request header.

Perhaps make sense also to defined other member for "Sec-Http-State-Options" header
dictionary, which controls which elements ('image', 'iframe', 'script', 'audio' 
and so on) cause Sec-Http-State: header field added to request when correspond resource
is retrieved. This is additional constrain (also "delivery" is in force).

Idea is further reduce http request size.

/ Kari Hurtta

Received on Thursday, 28 March 2019 19:07:54 UTC