W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2020

Re: Cookies and schemes.

From: Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>
Date: Tue, 10 Mar 2020 12:58:41 -0500
Message-ID: <CAKKJt-eZBXn8ZS-QLzvofWYMprPr=QGxcZ84Ffx6hu=91Vmo=A@mail.gmail.com>
To: Martin Thomson <mt@lowentropy.net>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
A minor comment on this exchange:

On Tue, Mar 10, 2020 at 2:56 AM Martin Thomson <mt@lowentropy.net> wrote:

> > 2. Perhaps we prefix the non-secure cookie names with `__Non-secure-`
> > rather than minting a new header?
>
> That might work.  It's new mechanisms, but not new-header-field new
> mechanisms.  More below.
>

I'm not an expert at this, but think I'm following the discussion in this
thread.

Is "Non-secure" the best term that could be used as a prefix? ISTM that
part of the game here may be shaming people into not continuing to use this
mechanism for months/years/ever, and "secure/non-secure" seems an awfully
overloaded term. Could the prefix be more precise about what's at stake if
you continue to use it?

Random example unlikely to be the best suggestion: compare the shame of
__Non-secure to the shame of __Trivially-Hijackable, if that's the case,
and it's the worst accurate thing you can think of. If not, please
substitute the worst possible accurate characterization.

Make good choices, of course.

Best,

Spencer
Received on Tuesday, 10 March 2020 17:59:21 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 10 March 2020 17:59:22 UTC