http-extensions
http-extensions copied to clipboard
httpwg
HTTP Extensions in progress
The text in [the SVCB draft](https://www.ietf.org/archive/id/draft-ietf-dnsop-svcb-https-07.html#section-8.3) is pretty comprehensive on this point, so there is probably no need to repeat it, but a reference to that would be a good...
The draft (formerly RFC) says: > If the connection to the alternative service does not negotiate the expected protocol (for example, ALPN fails to negotiate h2, or an Upgrade request...
Do we want to take a dependency on [draft-ietf-tls-snip](https://datatracker.ietf.org/doc/draft-ietf-tls-snip/)? Realistically, this only needs to be an informative one as the enforcement options are (currently) not very strong.
Relying purely on the public-suffix-list for limiting cookie scope doesn't scale well. It would be preferable if there was a way for servers to indicate that cookie scope should be...
it seems not quite necessary to say that it is a new field...
Although the document describes the 'test-report' as optional, this is not communicated in #generating-a-violation-report. I have updated the 'scheme' key description to match the new 'test-report' key description.
The introduction in the variants draft gives the following example: ~~~ HTTP/1.1 200 OK Content-Type: text/html Content-Language: en Vary: Accept-Language Variants: Accept-Language;de;en;jp Variant-Key: en Transfer-Encoding: chunked ~~~ But the syntax...
Sparked from: https://github.com/web-platform-tests/wpt/issues/26123 [6265bis-06](https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-06) doesn't seem to have any instructions on how to handle cookies set on/by localhost. More specifically for this issue: how the Domain attribute should be handled....
The current draft prevents cookies marked as 'Secure' from being overwritten or evicted from a non-secure origin (e.g., section 5.4), but it does nothing to prevent JavaScript from overwriting a...
This foremost relates to the arbitrary limits that cookie stores place on cookies, both globally and per-domain. RFC 6265 says the following: > At any time, the user agent MAY...