Re: _HttpOnly cookie prefix? from Rory Hewitt on 2025-02-24 (ietf-http-wg@w3.org from January to March 2025)

From: Rory Hewitt <rory.hewitt@gmail.com>
Date: Mon, 24 Feb 2025 13:04:17 -0800
To: Yoav Weiss <yoav.weiss@shopify.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, HTTP Working Group <ietf-http-wg@w3.org>, Johann Hofmann <johannhof@google.com>, Matt Metzger <matthew.metzger@shopify.com>
Message-ID: <CAEmMwDwvuQxTTmtkWVjUOjLLDMe=0jvg1hC1p2MnbsDtFsCZKQ@mail.gmail.com>

No apologies required - you'd added a link at the top of your document, but
I completely missed it :)

I forked the repo, made some suggested changes and made a PR to your repo.
Feel free to ignore - I understand this is just a draft...

On Mon, Feb 24, 2025 at 12:19 PM Yoav Weiss <yoav.weiss@shopify.com> wrote:

> Apologies!! The repo is at https://github.com/yoavweiss/httponly_prefix
>
> On Mon, Feb 24, 2025 at 9:16 PM Rory Hewitt <rory.hewitt@gmail.com> wrote:
>
>> Yoav,
>>
>> Stupid question - where is the Git repo?
>>
>> On Mon, Feb 24, 2025 at 9:57 AM Yoav Weiss <yoav.weiss@shopify.com>
>> wrote:
>>
>>>
>>>
>>> On Mon, Feb 24, 2025 at 6:02 PM Rory Hewitt <rory.hewitt@gmail.com>
>>> wrote:
>>>
>>>> Quick nit:
>>>>
>>>> Section 2.1.2 is called "The "__HttpOnlyHost-" prefix" but the text
>>>> begins "If a cookie's name begins with a case-sensitive match for the
>>>> string __HttpOnly-, then [...]".
>>>>
>>>
>>> Oops!!
>>>
>>>>
>>>> Do you want nits and other stuff in the Git repo or via this email DL?
>>>>
>>>
>>> Issues on the repo would be best.
>>>
>>>
>>>>
>>>> On Mon, Feb 24, 2025 at 3:01 AM Yoav Weiss <yoav.weiss@shopify.com>
>>>> wrote:
>>>>
>>>>>
>>>>>
>>>>> On Mon, Feb 24, 2025 at 11:36 AM Yoav Weiss <yoav.weiss@shopify.com>
>>>>> wrote:
>>>>>
>>>>>> Oh yeah! I'd need to also add steps to
>>>>>> https://www.ietf.org/archive/id/draft-ietf-httpbis-rfc6265bis-19.html#section-5.7
>>>>>> to impact the consumer processing models.
>>>>>>
>>>>>
>>>>> Took a stab at that:
>>>>> https://yoavweiss.github.io/httponly_prefix/draft-httponlyprefix-weiss-http.html#name-storage-model
>>>>>
>>>>> Feedback appreciated! :)
>>>>>
>>>>>
>>>>>>
>>>>>> On Mon, Feb 24, 2025 at 11:26 AM Anne van Kesteren <annevk@annevk.nl>
>>>>>> wrote:
>>>>>>
>>>>>>> On Mon, Feb 24, 2025 at 11:05 AM Yoav Weiss <yoav.weiss@shopify.com>
>>>>>>> wrote:
>>>>>>> > I've put together an I-D to propose this more officially. I'd love
>>>>>>> feedback on it.
>>>>>>>
>>>>>>> This only covers requirements for producers. Consumers will have to
>>>>>>> perform ASCII case-insensitive matching, for instance.
>>>>>>>
>>>>>>
>>>>
>>>> --
>>>> Rory Hewitt
>>>>
>>>> https://www.linkedin.com/in/roryhewitt
>>>>
>>>
>>
>> --
>> Rory Hewitt
>>
>> https://www.linkedin.com/in/roryhewitt
>>
>

-- 
Rory Hewitt

https://www.linkedin.com/in/roryhewitt

Received on Monday, 24 February 2025 21:04:32 UTC