Re: _HttpOnly cookie prefix? from Rory Hewitt on 2025-02-19 (ietf-http-wg@w3.org from January to March 2025)

From: Rory Hewitt <rory.hewitt@gmail.com>
Date: Wed, 19 Feb 2025 13:59:51 -0800
To: Daniel Veditz <dveditz@mozilla.com>
Cc: Johann Hofmann <johannhof@google.com>, Anne van Kesteren <annevk@annevk.nl>, Yoav Weiss <yoav.weiss@shopify.com>, HTTP Working Group <ietf-http-wg@w3.org>, Matt Metzger <matthew.metzger@shopify.com>
Message-ID: <CAEmMwDyg9ArOFGY00Nxm03yR0kRh5v_z+16PBqvNZf1vu4FjCQ@mail.gmail.com>

Ah yes - Cookie2 FTW!

On Wed, Feb 19, 2025 at 1:46 PM Daniel Veditz <dveditz@mozilla.com> wrote:

> On Wed, Feb 19, 2025 at 1:10 PM Johann Hofmann <johannhof@google.com>
> wrote:
> > I agree that some conversation should be had about the overall approach
> > of piling on __Prefixes and whether there's some better alternative
>
> The pitfalls of not returning cookie attributes was already recognized
> as a problem that RFC 2109 tried to solve in 1997 (and later RFC
> 2965). I assume backwards compatibility and randomly broken sites
> discouraged adoption (the death match between Netscape Navigator and
> MS IE couldn't have helped--cookies weren't a competitive feature).
> Prefixes are transparent to all the old client and server software so
> they can safely be adopted by a web application at their own pace. But
> they are a hack and can't be easily extended to cover arbitrary
> attributes.
>


-- 
Rory Hewitt

https://www.linkedin.com/in/roryhewitt

Received on Wednesday, 19 February 2025 22:00:07 UTC