AD Review of draft-ietf-httpbis-rfc6265bis-19

# AD Review of draft-ietf-httpbis-rfc6265bis-19

cc @fpalombini

Thank you for this document, which I found very clear. I only have a couple of very minor notes on the use of BCP 14 SHOULD, you can take care of these at the same time as any other comments from IETF last call, which I will initiate now.

Francesca

## Comments

### SHOULD NOT

Section 3:
> Origin servers SHOULD NOT fold multiple Set-Cookie header fields into a single header field.

I wonder why this is a SHOULD NOT and not a MUST NOT. I do see this was a SHOULD NOT in the original RFC 6265. If it's the case that it has been kept as a SHOULD NOT because existing implementations do it despite this recommendation, I suggest explicitly motivate it here (for example by adding a note, as it has been done in other sections of the document).

### should or SHOULD

Section 5.6.7.1:
> When possible, developers should use a session management mechanism such as that described in Section 8.8.2 to mitigate the risk of CSRF more completely.

Is this a should or a BCP14 SHOULD?

### TLS reference

Section 4.1.2.5
>(typically HTTP over Transport Layer Security (TLS) [HTTP])

I believe an informative reference to TLS should be added. Note that TLS is mentioned a couple of times throughout the doc (always as informative).

## Notes

This review is in the ["IETF Comments" Markdown format][ICMF], You can use the
[`ietf-comments` tool][ICT] to automatically convert this review into
individual GitHub issues.

[ICMF]: https://github.com/mnot/ietf-comments/blob/main/format.md
[ICT]: https://github.com/mnot/ietf-comments