Re: _HttpOnly cookie prefix? from Yoav Weiss on 2025-03-20 (ietf-http-wg@w3.org from January to March 2025)

From: Yoav Weiss <yoav.weiss@shopify.com>
Date: Thu, 20 Mar 2025 09:23:46 +0000
To: Rory Hewitt <rory.hewitt@gmail.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, HTTP Working Group <ietf-http-wg@w3.org>, Johann Hofmann <johannhof@google.com>, Matt Metzger <matthew.metzger@shopify.com>
Message-ID: <CALYmMacomEbEBZ2M40JspKX1a2YMo7v0ddbbQbgftO-M6QS3Fw@mail.gmail.com>

I published an I-D
<https://www.ietf.org/archive/id/draft-httponlyprefix-weiss-http-00.html>.
Feedback welcome! Looking forward to discussing this tomorrow!!

On Mon, Feb 24, 2025 at 9:04 PM Rory Hewitt <rory.hewitt@gmail.com> wrote:

> No apologies required - you'd added a link at the top of your document,
> but I completely missed it :)
>
> I forked the repo, made some suggested changes and made a PR to your repo.
> Feel free to ignore - I understand this is just a draft...
>
> On Mon, Feb 24, 2025 at 12:19 PM Yoav Weiss <yoav.weiss@shopify.com>
> wrote:
>
>> Apologies!! The repo is at https://github.com/yoavweiss/httponly_prefix
>>
>> On Mon, Feb 24, 2025 at 9:16 PM Rory Hewitt <rory.hewitt@gmail.com>
>> wrote:
>>
>>> Yoav,
>>>
>>> Stupid question - where is the Git repo?
>>>
>>> On Mon, Feb 24, 2025 at 9:57 AM Yoav Weiss <yoav.weiss@shopify.com>
>>> wrote:
>>>
>>>>
>>>>
>>>> On Mon, Feb 24, 2025 at 6:02 PM Rory Hewitt <rory.hewitt@gmail.com>
>>>> wrote:
>>>>
>>>>> Quick nit:
>>>>>
>>>>> Section 2.1.2 is called "The "__HttpOnlyHost-" prefix" but the text
>>>>> begins "If a cookie's name begins with a case-sensitive match for the
>>>>> string __HttpOnly-, then [...]".
>>>>>
>>>>
>>>> Oops!!
>>>>
>>>>>
>>>>> Do you want nits and other stuff in the Git repo or via this email DL?
>>>>>
>>>>
>>>> Issues on the repo would be best.
>>>>
>>>>
>>>>>
>>>>> On Mon, Feb 24, 2025 at 3:01 AM Yoav Weiss <yoav.weiss@shopify.com>
>>>>> wrote:
>>>>>
>>>>>>
>>>>>>
>>>>>> On Mon, Feb 24, 2025 at 11:36 AM Yoav Weiss <yoav.weiss@shopify.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Oh yeah! I'd need to also add steps to
>>>>>>> https://www.ietf.org/archive/id/draft-ietf-httpbis-rfc6265bis-19.html#section-5.7
>>>>>>> to impact the consumer processing models.
>>>>>>>
>>>>>>
>>>>>> Took a stab at that:
>>>>>> https://yoavweiss.github.io/httponly_prefix/draft-httponlyprefix-weiss-http.html#name-storage-model
>>>>>>
>>>>>> Feedback appreciated! :)
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> On Mon, Feb 24, 2025 at 11:26 AM Anne van Kesteren <annevk@annevk.nl>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> On Mon, Feb 24, 2025 at 11:05 AM Yoav Weiss <yoav.weiss@shopify.com>
>>>>>>>> wrote:
>>>>>>>> > I've put together an I-D to propose this more officially. I'd
>>>>>>>> love feedback on it.
>>>>>>>>
>>>>>>>> This only covers requirements for producers. Consumers will have to
>>>>>>>> perform ASCII case-insensitive matching, for instance.
>>>>>>>>
>>>>>>>
>>>>>
>>>>> --
>>>>> Rory Hewitt
>>>>>
>>>>> https://www.linkedin.com/in/roryhewitt
>>>>>
>>>>
>>>
>>> --
>>> Rory Hewitt
>>>
>>> https://www.linkedin.com/in/roryhewitt
>>>
>>
>
> --
> Rory Hewitt
>
> https://www.linkedin.com/in/roryhewitt
>

Received on Thursday, 20 March 2025 09:24:02 UTC