From 7361864bbd20644bd5fc11a3dc3b475501611a69 Mon Sep 17 00:00:00 2001
From: Mark Nottingham <mnot@mnot.net>
Date: Tue, 13 Feb 2018 15:44:11 +1100
Subject: [PATCH] talk about assumptions of state based on connections

Fixes #458
---
 draft-ietf-httpbis-bcp56bis.md | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/draft-ietf-httpbis-bcp56bis.md b/draft-ietf-httpbis-bcp56bis.md
index 579582633..d37b95df3 100644
--- a/draft-ietf-httpbis-bcp56bis.md
+++ b/draft-ietf-httpbis-bcp56bis.md
@@ -473,7 +473,7 @@ to access resources from another, to avoid the "confused deputy" problem. As a r
 that wish to expose cross-origin data to browsers will need to implement {{!W3C.REC-cors-20140116}}.
 
 
-### Authentication and Application State {#state}
+## Authentication and Application State {#state}
 
 Applications that use HTTP MAY use stateful cookies {{?RFC6265}} to identify a client and/or store
 client-specific data to contextualise requests.
@@ -486,6 +486,9 @@ In either case, it is important to carefully specify the scoping and use of thes
 they expose sensitive data or capabilities (e.g., by acting as an ambient authority), exploits are
 possible. Mitigations include using a request-specific token to assure the intent of the client.
 
+Applications MUST NOT make assumptions about the relationship between separate requests on a single
+transport connection; doing so breaks many of the assumptions of HTTP as a stateless protocol, and
+will cause problems in interoperability, security, operability and evolution.
 
 
 # IANA Considerations