Re: _HttpOnly cookie prefix? from Rory Hewitt on 2025-02-24 (ietf-http-wg@w3.org from January to March 2025)

From: Rory Hewitt <rory.hewitt@gmail.com>
Date: Mon, 24 Feb 2025 09:02:14 -0800
To: Yoav Weiss <yoav.weiss@shopify.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, HTTP Working Group <ietf-http-wg@w3.org>, Johann Hofmann <johannhof@google.com>, Matt Metzger <matthew.metzger@shopify.com>
Message-ID: <CAEmMwDzxbJQ-VXyTZqP9RMNB-YT2zbZnDPBTO=XCHq6Of+-A9A@mail.gmail.com>

Quick nit:

Section 2.1.2 is called "The "__HttpOnlyHost-" prefix" but the text begins
"If a cookie's name begins with a case-sensitive match for the string
__HttpOnly-, then [...]".

Do you want nits and other stuff in the Git repo or via this email DL?

On Mon, Feb 24, 2025 at 3:01 AM Yoav Weiss <yoav.weiss@shopify.com> wrote:

>
>
> On Mon, Feb 24, 2025 at 11:36 AM Yoav Weiss <yoav.weiss@shopify.com>
> wrote:
>
>> Oh yeah! I'd need to also add steps to
>> https://www.ietf.org/archive/id/draft-ietf-httpbis-rfc6265bis-19.html#section-5.7
>> to impact the consumer processing models.
>>
>
> Took a stab at that:
> https://yoavweiss.github.io/httponly_prefix/draft-httponlyprefix-weiss-http.html#name-storage-model
>
> Feedback appreciated! :)
>
>
>>
>> On Mon, Feb 24, 2025 at 11:26 AM Anne van Kesteren <annevk@annevk.nl>
>> wrote:
>>
>>> On Mon, Feb 24, 2025 at 11:05 AM Yoav Weiss <yoav.weiss@shopify.com>
>>> wrote:
>>> > I've put together an I-D to propose this more officially. I'd love
>>> feedback on it.
>>>
>>> This only covers requirements for producers. Consumers will have to
>>> perform ASCII case-insensitive matching, for instance.
>>>
>>

-- 
Rory Hewitt

https://www.linkedin.com/in/roryhewitt

Received on Monday, 24 February 2025 17:02:31 UTC