[proposal] X-Client-State header for Sync relaunch

Nick Alexander nalexander at mozilla.com
Mon Jan 27 10:03:36 PST 2014

On 1/27/2014, 9:46 AM, Nick Alexander wrote:
> Sync relaunch clients need to provide the X-Client-State header to the
> token server in order to not hit HMAC errors on key changes.  We need to
> do this, it needs to be secure, but we can't version it client-side.  Whee!
>  From the token server docs:
> **X-Client-State**
>      An optional base64-urlsafe string, up to 32 characters long, that
>      can be sent to identity a unique configuration of client-side state.
>      A change in the value of this header will cause the user's node
>      allocation to be reset.  Clients should include any client-side state
>      that is necessary for accessing the selected app.
> Initial put
> How about HKDF(kB, salt=emailUTF8, context=KW("X-Client-State"), 16)?

Oops, I mean the base64-urlsafe encoding of these 16 bytes.


More information about the Sync-dev mailing list