[Bug 19028] Support a rel attribute that restricts cookie transmission from bugzilla@jessica.w3.org on 2013-02-07 (public-html-bugzilla@w3.org from February 2013)

From: <bugzilla@jessica.w3.org>
Date: Thu, 07 Feb 2013 15:06:58 +0000
To: public-html-bugzilla@w3.org
Message-ID: <bug-19028-2486-cBwU54RfzC@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=19028

--- Comment #4 from Kyle Simpson <w3c@getify.myspamkiller.com> ---
I understand the reasoning for the header approach, and appreciate the spirit
of it. I have a few concerns:

1. A primary motivator for this feature request was performance. Especially on
mobile devices with severely limited (or metered) bandwidth, the cost of lots
of cookies (often 600 bytes or more per request) is very undesirable.

If we specify that you send a list (perhaps a complicated list depending on
your needs) of paths and domains to suppress cookies on, and you do that in
response headers, then I think the default tendency for most people will be
that they turn on this header for all responses, which shifts the performance
problem from requests to responses, but doesn't alleviate it by much.

So, there'd have to be an easy way to make sure that the response header was
only sent on initial HTML page. There are certain facilities in Apache that
could accomplish the task, like per mime-type. But that doesn't account for
Ajax requests for HTML pages/snippets, which would still send the headers.

I think we'd be creating a system that was, by default, not all that helpful,
without more education on fine tuning the Apache mechanisms so that the headers
are only sent sparingly. User education/evangelism is useful but it's a moving
target.


2. If we send it as a header, and multiple resources DO include the header,
what should the browser do if it receives different/conflicting answers? Last
answer wins? First answer wins? Merge the answers progressively?

If we only accept this header on HTML page requests, and ignore it on CSS and
JS and such, can we reasonably distinguish between an Ajax request for an HTML
page and a full HTML page request?


-----------

Here's a possible compromise that I think might address some of those concerns,
but still alleviate having to put the policy (via `rel`) on all containers:

What about saying the policy can be specified as a <meta> tag only, with the
same format you were suggesting, that could only be included in the <head> of
an HTML page?

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

Received on Thursday, 7 February 2013 15:07:04 UTC