[http-state] One last attempt to get y'all to like the idea of a non-inclusive Set-Cookie design
Paul James Hammant <phammant@thoughtworks.com> Thu, 18 November 2010 19:59 UTC
Return-Path: <phammant@thoughtworks.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3B1EF28C10D for <http-state@core3.amsl.com>; Thu, 18 Nov 2010 11:59:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.488
X-Spam-Level:
X-Spam-Status: No, score=-4.488 tagged_above=-999 required=5 tests=[BAYES_05=-1.11, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id imlwhAtKcFXA for <http-state@core3.amsl.com>; Thu, 18 Nov 2010 11:59:42 -0800 (PST)
Received: from na3sys009aog104.obsmtp.com (na3sys009aog104.obsmtp.com [74.125.149.73]) by core3.amsl.com (Postfix) with SMTP id F405528C110 for <http-state@ietf.org>; Thu, 18 Nov 2010 11:59:25 -0800 (PST)
Received: from source ([74.125.82.45]) by na3sys009aob104.postini.com ([74.125.148.12]) with SMTP ID DSNKTOWFzlF3BqR1tYGaGHS6cb4ZewiLRfh+@postini.com; Thu, 18 Nov 2010 12:00:14 PST
Received: by mail-ww0-f45.google.com with SMTP id 18so641985wwi.14 for <http-state@ietf.org>; Thu, 18 Nov 2010 12:00:13 -0800 (PST)
Received: by 10.227.152.9 with SMTP id e9mr1155913wbw.169.1290110413558; Thu, 18 Nov 2010 12:00:13 -0800 (PST)
MIME-Version: 1.0
Received: by 10.227.152.78 with HTTP; Thu, 18 Nov 2010 11:54:24 -0800 (PST)
From: Paul James Hammant <phammant@thoughtworks.com>
Date: Thu, 18 Nov 2010 13:54:24 -0600
Message-ID: <AANLkTinfDu8SEJC8yd+q8dCOMOROpsBtOcgos4kTs=y3@mail.gmail.com>
To: http-state <http-state@ietf.org>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Subject: [http-state] One last attempt to get y'all to like the idea of a non-inclusive Set-Cookie design
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Nov 2010 19:59:44 -0000
Refer - http://paulhammant.com/blog/not-path-cookies.html It is a modification to my proposal last month; Better this time based on the comments in this mail list when I last proposed it. I also reference the Michal Zalewski blog posting critical of cookies I think it is even more relevant given the http://www.eff.org/pages/how-deploy-https-correctly posting from three days ago where the EFF suggests no more mixed content (see below). -Paul >From the EFF blog entry: ** Mixed Content ** When hosting an application over HTTPS, there can be no mixed content; that is, all content in the page must be fetched via HTTPS. It is common to see partial HTTPS support on sites, in which the main pages are fetched via HTTPS but some or all of the media elements, stylesheets, and JavaScript in the page are fetched via HTTP. This is unsafe because although the main page load is protected against active and passive network attack, none of the other resources are. If a page loads some JavaScript or CSS code via HTTP, an attacker can provide a false, malicious code file and take over the page’s DOM once it loads. Then, the user would be back to a situation of having no security. This is why all mainstream browsers warn users about pages that load mixed content. Nor is it safe to reference images via HTTP: What if the attacker swapped the Save Message and Delete Message icons in a webmail app? You must serve the entire application domain over HTTPS. Redirect HTTP requests with HTTP 301 or 302 responses to the equivalent HTTPS resource. Some site operators provide only the login page over HTTPS, on the theory that only the user’s password is sensitive. These sites’ users are vulnerable to passive and active attack.
- [http-state] One last attempt to get y'all to lik… Paul James Hammant
- Re: [http-state] One last attempt to get y'all to… Mark Pauley
- Re: [http-state] One last attempt to get y'all to… Paul James Hammant
- Re: [http-state] One last attempt to get y'all to… Mark Pauley