W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2020

Re: Cookies and schemes.

From: Martin Thomson <mt@lowentropy.net>
Date: Tue, 10 Mar 2020 09:02:25 +1100
Message-Id: <110aa602-33bd-4fbf-b3af-c5530d95fc44@www.fastmail.com>
To: ietf-http-wg@w3.org
On Mon, Mar 9, 2020, at 19:51, Mike West wrote:
> https://github.com/mikewest/scheming-cookies proposes two changes:
> 1. We teach cookies about schemes, and lock them to the scheme that set 
> them (just like every other web-facing storage mechanism).


To Willy's point about transfer, perhaps we can allow any cookies that are set on an http:// response to follow a redirect to https://  The Sec-Nonsecure-Cookie header field seems like it might not be great long term.

Tf the goal is to support temporally-constrained transfer, then binding the cookies to the redirect avoids pulling from previous state.  Also, the redirector could have just packed this information into the target URL, so it's not a new tracking vector.

Have I missed a key piece of information?  Willy, could this work in the cases you understand?

> 2. We curtail non-secure schemes' cookies' lifetime by agreeing on a 
> set of heuristics for a user's "session" on a given site, and culling 
> cookies when a site's session expires.

Also good.  The need for heuristics is unfortunate, but I appreciate that you have to do that.
Received on Monday, 9 March 2020 22:02:58 UTC

This archive was generated by hypermail 2.4.0 : Monday, 9 March 2020 22:03:00 UTC