Hi all,
As you probably know, the "OAuth for Browser-Based Apps BCP" document has
been stuck in the editor's queue for almost a year waiting on the
publication of RFC6265bis. In the meantime, the HTTPbis working group has
revised the recommendation in RFC6265bis that we reference, changing the
recommendation from prefixing cookies with "__Host-" to "__Host-Http-" in a
new document draft-ietf-httpbis-layered-cookies.
Given that we want to update the recommendation to the most current, but
also don't want to be held up until the new draft-ietf-httpbis-layered-cookies
is published as an RFC, we were considering options to make the text
non-normative so that we can continue with publication without waiting on
these.
How do folks feel about revising the recommendation in the Browser Apps BCP
to the following?
> The BFF SHOULD start the name of its cookies with a prefix indicating the
> cookie was set via HTTP, for example by using the `__Host-Http-` prefix
> defined in {{-draft-ietf-httpbis-layered-cookies}}
This text is based on the definition of the __Host-Http prefix from the
draft:
https://www.ietf.org/archive/id/draft-ietf-httpbis-layered-cookies-02.html#section-4.1.3.4
This helps developers and server operators to know that the cookie was set
> using a Set-Cookie header, and is limited in scope to HTTP requests.
This removes the normative dependency on the cookies drafts and makes it an
example instead, which would enable us to proceed with publication.
Aaron
_______________________________________________
OAuth mailing list -- [email protected]
To unsubscribe send an email to [email protected]
