Re: _HttpOnly cookie prefix? from Daniel Veditz on 2025-06-19 (ietf-http-wg@w3.org from April to June 2025)

From: Daniel Veditz <dveditz@mozilla.com>
Date: Wed, 18 Jun 2025 18:46:34 -0700
To: Rory Hewitt <rory.hewitt@gmail.com>
Cc: Yoav Weiss <yoav.weiss@shopify.com>, Chris Fredrickson <cfredric@google.com>, ietf-http-wg@w3.org
Message-ID: <CADYDTCBAOoZGF3iftm-gE50TCJu-r_KJZYxWj_3+7_TsWnsNQw@mail.gmail.com>

On Tue, Jun 17, 2025 at 10:09 AM Rory Hewitt <rory.hewitt@gmail.com> wrote:

> where {unordered-case-sensitive-prefixes} is one or more of the following *in
> any order*:
>     *Secure*
>

We don't have to worry about that one: there are enough folks who won't
support new prefixes that aren't restricted to secure connections

>     *Http* (I prefer this to "HttpOnly', simply because for some
> reason we've gone for case-sensitive cookie names, and if we're talking
> CamelCase prefixes, then that can confuse things)
>

Cookie prefixes were made explicitly case IN-sensitive in the spec when
early drafts ran into backwards compatibility issues with servers that
treat cookies as case-insensitive. It would be bad to use case-change as a
delimiter in a scheme like this. It's not very readable anyway—go ahead and
spend a byte on a legitimate separator.

Dan Veditz

Received on Thursday, 19 June 2025 01:47:04 UTC