talk about assumptions of state based on connections

Fixes #458
httpwg · Feb 13, 2018 · 7361864 · 7361864
1 parent a868e00
commit 7361864
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/draft-ietf-httpbis-bcp56bis.md b/draft-ietf-httpbis-bcp56bis.md
@@ -473,7 +473,7 @@ to access resources from another, to avoid the "confused deputy" problem. As a r
 that wish to expose cross-origin data to browsers will need to implement {{!W3C.REC-cors-20140116}}.
 
 
-### Authentication and Application State {#state}
+## Authentication and Application State {#state}
 
 Applications that use HTTP MAY use stateful cookies {{?RFC6265}} to identify a client and/or store
 client-specific data to contextualise requests.
@@ -486,6 +486,9 @@ In either case, it is important to carefully specify the scoping and use of thes
 they expose sensitive data or capabilities (e.g., by acting as an ambient authority), exploits are
 possible. Mitigations include using a request-specific token to assure the intent of the client.
 
+Applications MUST NOT make assumptions about the relationship between separate requests on a single
+transport connection; doing so breaks many of the assumptions of HTTP as a stateless protocol, and
+will cause problems in interoperability, security, operability and evolution.
 
 
 # IANA Considerations