[http-state] Ticket 6: host-only cookies

Adam Barth <ietf@adambarth.com> Fri, 22 January 2010 08:51 UTC

Return-Path: <adam@adambarth.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 249D43A6884 for <http-state@core3.amsl.com>; Fri, 22 Jan 2010 00:51:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.614
X-Spam-Level:
X-Spam-Status: No, score=-1.614 tagged_above=-999 required=5 tests=[AWL=-0.237, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, J_CHICKENPOX_33=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jqBX-Y2tKMcY for <http-state@core3.amsl.com>; Fri, 22 Jan 2010 00:51:05 -0800 (PST)
Received: from mail-pw0-f50.google.com (mail-pw0-f50.google.com [209.85.160.50]) by core3.amsl.com (Postfix) with ESMTP id 2211F3A6859 for <http-state@ietf.org>; Fri, 22 Jan 2010 00:51:05 -0800 (PST)
Received: by pwi20 with SMTP id 20so661400pwi.29 for <http-state@ietf.org>; Fri, 22 Jan 2010 00:50:57 -0800 (PST)
MIME-Version: 1.0
Received: by 10.142.59.18 with SMTP id h18mr1842597wfa.27.1264150257089; Fri, 22 Jan 2010 00:50:57 -0800 (PST)
From: Adam Barth <ietf@adambarth.com>
Date: Fri, 22 Jan 2010 00:50:37 -0800
Message-ID: <7789133a1001220050m56cc438x35099b7972639331@mail.gmail.com>
To: http-state <http-state@ietf.org>
Content-Type: text/plain; charset=ISO-8859-1
Subject: [http-state] Ticket 6: host-only cookies
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jan 2010 08:51:06 -0000

I raised this ticket because I wanted to check with the working group
since this is a non-trivial decision:
http://trac.tools.ietf.org/wg/httpstate/trac/ticket/6

== Overview ==

If http://example.com/ sends the following header:

Set-Cookie: foo=bar

what Cookie header should the user agent generate for http://qux.example.com/ ?

Firefox, Chrome, Safari, and Opera say that foo=bar is a "host-only"
cookie that is returned to example.com only.  Internet Explorer
doesn't have a concept of a host-only cookie and returns the cookie to
example.com and all of its subdomains, including qux.example.com.

The lack of host-only cookies in IE is a security issue because it
prevents hosts from keeping cookies confidential from their
subdomains.  This behavior surprises enough web developers to be on
Eric's cookie FAQ (see Q3):

http://blogs.msdn.com/ieinternals/archive/2009/08/20/WinINET-IE-Cookie-Internals-FAQ.aspx

== Proposal ==

1) Specify host-only cookies to match Firefox, Chrome, Safari, and
Opera.  This is best for security, and I think there's a good chance
that IE will adopt host-only cookies in future, but I don't have any
citable evidence for this belief.  (The draft currently matches this
proposal.)

== Alternatives ==

2) Specify the IE behavior.  I think this approach is a dead end
because I'd be very surprised if all the non-IE browsers weakened
their security in this regard.

3) Allow both behaviors.  This alternative is the worst for security
because it makes the cookie protocol less predictable.  When all the
other browsers agree on a behavior that's better than the IE behavior,
I think we can require the non-IE behavior.

Adam