Re: [E] Re: HTTP State Tokens from George Fletcher on 2021-04-08 (public-privacycg@w3.org from April 2021)

From: George Fletcher <george.fletcher@verizonmedia.com>
Date: Thu, 8 Apr 2021 10:14:42 -0400
To: Mike West <mkwst@google.com>
Cc: Kaustubha Govind <kaustubhag@google.com>, public-privacycg@w3.org
Message-ID: <CADLPFY8xkYEjnCwySTnRmOybHrrd2bmf85KGBXrZ2kefyr=bQg@mail.gmail.com>

Hi Mike,

Thanks so much for the response! I found the ability for the user agent to
generate a signature for the state tokens very intriguing. Is there any
chance we could add that feature to existing cookies via some mechanism?
Maybe an attribute for a "set-cookie" response header?

Thoughts?

Thanks,
George

On Thu, Apr 8, 2021 at 1:18 AM Mike West <mkwst@google.com> wrote:

> Hey George,
>
> There was discussion on the IETF's HTTP working group list, and in
> WebAppSec. My impression from those conversations was that there wasn't
> enough appetite for building a cookie replacement vs. incrementally
> changing cookies as they exist. That's the strategy laid out in
> https://mikewest.github.io/cookie-incrementalism/draft-west-cookie-incrementalism.html
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__mikewest.github.io_cookie-2Dincrementalism_draft-2Dwest-2Dcookie-2Dincrementalism.html&d=DwMFaQ&c=sWW_bEwW_mLyN3Kx2v57Q8e-CRbmiT9yOhqES_g_wVY&r=cl87BDJWy_Dken1-bgbUZHoY1dEfYnAZIzXekbjJhbc&m=PF75H_jMRGPCLyMfWDj-A4dzaaPqTcbqyYtjw89EGLo&s=F7i2jxquOErF2Ge7jHxCrCcLy3KYBsaY2LFPcDC8dps&e=>
> .
>
> From my perspective, state tokens are on hold while vendors determine just
> how malleable existing cookies actually are. I'd love to see folks
> collectively decide to pick them up again as I think there's some value in
> shipping a modernized version of that draft, but I'm happy to see the
> energy flow into incremental change for the time being. :)
>
> -mike
>
>
> On Wed, Apr 7, 2021 at 9:42 PM George Fletcher <
> george.fletcher@verizonmedia.com> wrote:
>
>> Thanks! I remember it being discussed but then it seems like discussion
>> has gone silent. The IETF draft expired in September 2019 :)
>>
>> On Wed, Apr 7, 2021 at 3:38 PM Kaustubha Govind <kaustubhag@google.com>
>> wrote:
>>
>>> Adding +Mike West <mkwst@google.com> (author of the proposal).
>>>
>>> It was discussed on the WebAppSec WG mailing list months ago.
>>>
>>> On Wed, Apr 7, 2021 at 3:15 PM George Fletcher <
>>> george.fletcher@verizonmedia.com> wrote:
>>>
>>>> This may not be the correct venue but figured I'd ask to see if anyone
>>>> knows the status of HTTP State tokens.
>>>>
>>>> Thanks,
>>>> George
>>>>
>>>>
>>
>>

Received on Thursday, 8 April 2021 14:15:10 UTC