+1George Fletcher Practical Identity LLC Hi Aaron,
I think that sounds good and I like how it solves the dependency. Let's get the OAuth for Browser-Based Apps BCP published!
/Judith Hi all,
As you probably know, the "OAuth for Browser-Based Apps BCP" document has been stuck in the editor's queue for almost a year waiting on the publication of RFC6265bis. In the meantime, the HTTPbis working group has revised the recommendation in RFC6265bis that we reference, changing the recommendation from prefixing cookies with "__Host-" to "__Host-Http-" in a new document draft-ietf-httpbis-layered-cookies.
Given that we want to update the recommendation to the most current, but also don't want to be held up until the new draft-ietf-httpbis-layered-cookies is published as an RFC, we were considering options to make the text non-normative so that we can continue with publication without waiting on these.
How do folks feel about revising the recommendation in the Browser Apps BCP to the following? The BFF SHOULD start the name of its cookies with a prefix indicating the cookie was set via HTTP, for example by using the `__Host-Http-` prefix defined in {{-draft-ietf-httpbis-layered-cookies}}
This helps developers and server operators to know that the cookie was set using a Set-Cookie header, and is limited in scope to HTTP requests.
This removes the normative dependency on the cookies drafts and makes it an example instead, which would enable us to proceed with publication.
OAuth mailing list -- [email protected]
To unsubscribe send an email to [email protected]
|
_______________________________________________
OAuth mailing list -- [email protected]
To unsubscribe send an email to [email protected]
