[http-state] rough notes
Peter Saint-Andre <stpeter@stpeter.im> Wed, 24 March 2010 02:22 UTC
Return-Path: <stpeter@stpeter.im>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7A8893A67CC for <http-state@core3.amsl.com>; Tue, 23 Mar 2010 19:22:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.644
X-Spam-Level:
X-Spam-Status: No, score=0.644 tagged_above=-999 required=5 tests=[AWL=-0.487, BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KpQb9OQVjR3p for <http-state@core3.amsl.com>; Tue, 23 Mar 2010 19:22:37 -0700 (PDT)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com (Postfix) with ESMTP id 6633D3A6B47 for <http-state@ietf.org>; Tue, 23 Mar 2010 19:22:06 -0700 (PDT)
Received: from dhcp-wireless-open-abg-29-126.meeting.ietf.org (dhcp-wireless-open-abg-29-126.meeting.ietf.org [130.129.29.126]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 1512940D3A for <http-state@ietf.org>; Tue, 23 Mar 2010 20:22:24 -0600 (MDT)
Message-ID: <4BA9775D.1080200@stpeter.im>
Date: Tue, 23 Mar 2010 19:22:21 -0700
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.8) Gecko/20100227 Thunderbird/3.0.3
MIME-Version: 1.0
To: Discuss HTTP State Management Mechanism <http-state@ietf.org>
X-Enigmail-Version: 1.0.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms040208090407070606060500"
Subject: [http-state] rough notes
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Mar 2010 02:22:38 -0000
From http://etherpad.com/na1WtVANL4 ... [NOTE: THESE ARE NOT COMPLETE] ### HTTP State WG IEF 77 AB = Adam Barth YP = Yngve Pettersen MP = Mark Pauley JR = Julian Reschke DW = Dan Witte RF = Roy Fielding SC = Scott Cantor 1. Agenda bash & Blue sheets No bashing 2. Review closed tickets (Adam Barth) [issue and discussion missed here] Issue #4 -- comma in set-cookie MP: would love to be able to get rid of this Issue #6 -- host-only cookies IE team has expressed that they would prefer to move Issue #2 -- semicolon in quotes RFC 2109 allows this didn't exist then, invented in the spec JR: was this in the original spec? AB: what is the original spec? JR: Netscape document AB: doesn't count as a spec AB: FF has changed behavior to treat quote as any other character Issue #9 -- editorial issue Issue #8 -- just another test Issue #3 -- registry controlled domains e.g., setting cookie for "co.uk" (registry controlled) AB: giant list of registry-controlled domains AB: what do in the spec? - include a huge list? - reference publicsuffix.org ? - some kind of heuristic? (IE has own list, other browsers use Mozilla's list publicsuffix.org) YP: related to "Cookie Monster" bug Note: end of closed tickets, the scribe missed some tickets at the beginning, will need to listen to audio... Issue #10 -- handling i18n domains in domain attributes DW -- we compare everything to punycode AB: avoid putting non-unicode characters on the HTTP wire LD: - basic comparison issue - step 1: know if they are valid Issue #7 - better date parsing DW: do we want to put text in to use 64-bit field? AB: no text about what representable time is RF: no chance that many devices have 64-bit date parsing - require 64-bit date parsing only when possible, allow older machines not to YP: I did a poll, most of my colleagues have 32-bit platforms YP: most smaller platforms have a fairly low cookie limit (e.g., 300 per browser) YP: not a major issue, cookies will be deleted for lack of space MP: if browser asked to set cookie date too far in the future, clip it to date closer in Issue #12 - The path-match algorithm doesn't match IE or Firefox exactly - discussion on UAs are willing to change (DW: yes) Issue #1 -- Remove nameless cookies? Supported in IE, FF, and Chrome. Not in Safari. AB: why not support it? RF: only ever seen in JavaScript and used within that page RF: my tendency is to say this is not legal syntax and I see no reason to support it AB: my sense is we want user agents to process it but say that servers should never send it YP: prefer to say that there is always one char in the name JR: sounds like there is no interop on the wire here JR: I would say don't do this AB: we seem to require this out of document.cookie DW: it makes me sad that we support this because of one website DW: I'd support getting rid of this if more than one browser changes behavior (so we don't have a special case) DW: we should at least require equals sign AB: I'm hearing that everyone hates this JH: in other words, not putting this in the spec AB: send patches to delete this in open-source browsers Issue #5 -- Cookie ordering AB: there are some subtle issues here AB: could have two cookies with same name sent to server at same time AB: browsers resolve this by accepting the first cookie YP: perhaps spec should say that no order beyond path length YP: either (1) be very strict or (2) servers cannot rely on ordering MP: sort on (1) length of domain (2) length of path -- but I think creation date doesn't matter JH: any other major issues? JR: any dependencies on httpbis? AB: draft currently refers to existing spec, not bis YP: IIRC the spec mentions recent syntax like obsolete whitespace JR: probably safe to copy that because we're not planning to change it JR: that way you can do the same as httpbis but not reference it YP: we discussed what is in section 4, I suggest putting syntax as start of section 5 YP: suggesting that we add max-age to server part of protocol AB: max-age is not implemented in all browsers YP: suggests having two complete syntax grammars for each of the client and server sections of the spec DW: asks if there's thought that IE would impl max-age AB: don't know but one can hope LucyLynch: would be good if priv sections get bolstered, would be a good thing, came from Priv confab in DC and "profiling" is a hot topic YP: <something about some RFC about priv -- RFC2964> MP: the test suite is quite a value-add for interop (!) JR: perhaps test suite should be an appendix of the spec ab: can be done (!) JH: is there anything more to discuss from the floor? [none] JH: if we can address open issues then we can get this ready for WGLC JH: do people want to address specs for doing future things for cookies? YP: I have two or three relevant specs 1. $origin (where given cookie came from) 2. fix to address cookie monster bug 3. sub-tld / public suffix draft MP: - did we talk about cookie limits? - important to us - can have deleterious effect on web traffic - sending many kb of cookies with each request - some devices can't handle large cookies - even set limit on total size of cookie headers YP: upper limit of 4k, don't send cookie header longer than 5k AB: spec does suggest limits MP: perhaps something about compression of cookie headers, or some kind of consideration YP: servers are doing this to themselves YP: but might be causing extra cost to users who pay by the byte RF: was there resolution to issue about disclaimer text? RF: I think there are many ways to use cookies that don't violate architecture or introduce security concerns AB: security considerations used to warn against using cookies, but we removed that -- however we do talk about security issues YP: should there be a definition of third-party cookies? AB: many different definitions, could do in separate document, but I would recommend against specifying this JH: is the general notion of third-party cookies described in the security considerations? AB: good to add to privacy considerations MP: interaction here between httpstate and browser behavior MP: tradeoff between ability to add useful content from a third party in a page and desire not to have your activities tracked by a third party DW: I think it's out of scope SC: third-party cookies can help you do session logout and clear state
- [http-state] rough notes Peter Saint-Andre