Re: _HttpOnly cookie prefix? from Yoav Weiss on 2025-02-24 (ietf-http-wg@w3.org from January to March 2025)

From: Yoav Weiss <yoav.weiss@shopify.com>
Date: Mon, 24 Feb 2025 18:57:24 +0100
To: Rory Hewitt <rory.hewitt@gmail.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, HTTP Working Group <ietf-http-wg@w3.org>, Johann Hofmann <johannhof@google.com>, Matt Metzger <matthew.metzger@shopify.com>
Message-ID: <CALYmMafVzwiG6yOO5Pf0ipzBHPSHz=g1G_GvCM8srRtrCfvYqQ@mail.gmail.com>

On Mon, Feb 24, 2025 at 6:02 PM Rory Hewitt <rory.hewitt@gmail.com> wrote:

> Quick nit:
>
> Section 2.1.2 is called "The "__HttpOnlyHost-" prefix" but the text begins
> "If a cookie's name begins with a case-sensitive match for the string
> __HttpOnly-, then [...]".
>

Oops!!

>
> Do you want nits and other stuff in the Git repo or via this email DL?
>

Issues on the repo would be best.


>
> On Mon, Feb 24, 2025 at 3:01 AM Yoav Weiss <yoav.weiss@shopify.com> wrote:
>
>>
>>
>> On Mon, Feb 24, 2025 at 11:36 AM Yoav Weiss <yoav.weiss@shopify.com>
>> wrote:
>>
>>> Oh yeah! I'd need to also add steps to
>>> https://www.ietf.org/archive/id/draft-ietf-httpbis-rfc6265bis-19.html#section-5.7
>>> to impact the consumer processing models.
>>>
>>
>> Took a stab at that:
>> https://yoavweiss.github.io/httponly_prefix/draft-httponlyprefix-weiss-http.html#name-storage-model
>>
>> Feedback appreciated! :)
>>
>>
>>>
>>> On Mon, Feb 24, 2025 at 11:26 AM Anne van Kesteren <annevk@annevk.nl>
>>> wrote:
>>>
>>>> On Mon, Feb 24, 2025 at 11:05 AM Yoav Weiss <yoav.weiss@shopify.com>
>>>> wrote:
>>>> > I've put together an I-D to propose this more officially. I'd love
>>>> feedback on it.
>>>>
>>>> This only covers requirements for producers. Consumers will have to
>>>> perform ASCII case-insensitive matching, for instance.
>>>>
>>>
>
> --
> Rory Hewitt
>
> https://www.linkedin.com/in/roryhewitt
>

Received on Monday, 24 February 2025 17:57:40 UTC