- From: Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>
- Date: Tue, 10 Mar 2020 12:58:41 -0500
- To: Martin Thomson <mt@lowentropy.net>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
Received on Tuesday, 10 March 2020 17:59:21 UTC
A minor comment on this exchange: On Tue, Mar 10, 2020 at 2:56 AM Martin Thomson <mt@lowentropy.net> wrote: > > 2. Perhaps we prefix the non-secure cookie names with `__Non-secure-` > > rather than minting a new header? > > That might work. It's new mechanisms, but not new-header-field new > mechanisms. More below. > I'm not an expert at this, but think I'm following the discussion in this thread. Is "Non-secure" the best term that could be used as a prefix? ISTM that part of the game here may be shaming people into not continuing to use this mechanism for months/years/ever, and "secure/non-secure" seems an awfully overloaded term. Could the prefix be more precise about what's at stake if you continue to use it? Random example unlikely to be the best suggestion: compare the shame of __Non-secure to the shame of __Trivially-Hijackable, if that's the case, and it's the worst accurate thing you can think of. If not, please substitute the worst possible accurate characterization. Make good choices, of course. Best, Spencer
Received on Tuesday, 10 March 2020 17:59:21 UTC