Re: [http-state] Ticket 3: Public Suffixes
"Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com> Sat, 16 January 2010 19:02 UTC
Return-Path: <yngve@opera.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2DFD13A6A02 for <http-state@core3.amsl.com>; Sat, 16 Jan 2010 11:02:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.299
X-Spam-Level:
X-Spam-Status: No, score=-6.299 tagged_above=-999 required=5 tests=[AWL=0.300, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MnjgNlLHVTW9 for <http-state@core3.amsl.com>; Sat, 16 Jan 2010 11:02:13 -0800 (PST)
Received: from smtp.opera.com (smtp.opera.com [213.236.208.81]) by core3.amsl.com (Postfix) with ESMTP id 95DCC3A693E for <http-state@ietf.org>; Sat, 16 Jan 2010 11:02:12 -0800 (PST)
Received: from acorna.invalid.invalid (pat-tdc.opera.com [213.236.208.22]) (authenticated bits=0) by smtp.opera.com (8.14.3/8.14.3/Debian-5) with ESMTP id o0GIwq2k016138 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sat, 16 Jan 2010 18:58:53 GMT
Date: Sat, 16 Jan 2010 20:01:56 +0100
To: Daniel Stenberg <daniel@haxx.se>
From: "Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com>
Organization: Opera Software AS
Content-Type: text/plain; format="flowed"; delsp="yes"; charset="iso-8859-15"
MIME-Version: 1.0
References: <7789133a1001160001h62d203b3w76e175ec22d55e6@mail.gmail.com> <op.u6mioszyqrq7tp@acorna.invalid.invalid> <alpine.DEB.2.00.1001161609220.473@tvnag.unkk.fr>
Content-Transfer-Encoding: 8bit
Message-ID: <op.u6m25iflqrq7tp@acorna.invalid.invalid>
In-Reply-To: <alpine.DEB.2.00.1001161609220.473@tvnag.unkk.fr>
User-Agent: Opera Mail/9.65 (Win32)
Cc: http-state <http-state@ietf.org>
Subject: Re: [http-state] Ticket 3: Public Suffixes
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Jan 2010 19:02:14 -0000
On Sat, 16 Jan 2010 16:23:49 +0100, Daniel Stenberg <daniel@haxx.se> wrote: > On Sat, 16 Jan 2010, Yngve N. Pettersen (Developer Opera Software ASA) > wrote: > >> Alternative 4: Use a DNS based heuristic by only allowing cookies set >> to domains that have an IP address defined. If there is no IP address, >> remove the domain attribute >> >> See my draft describing Opera's implementation: >> http://www.ietf.org/internet-drafts/draft-pettersen-dns-cookie-validate-05.txt > > That's a 404, but I found it here: Sorry, thought it was still valid. Will renew shortly. Archive copies are also available from my homepage. > > http://tools.ietf.org/html/draft-pettersen-dns-cookie-validate-05 > > ... so Opera is actually using this now? We have been using this method since v3.6, about 9-10 years. > I know for a fact that there is at least one domain in .se that is > actually using one of the documented suffixlist domains for a company > (apparently it was baught and handed out more or less by mistake > but...). This actually makes it possible to resolve the name to an IP > even though browsers using the suffixlist will treat it as invalid. This > would speak FOR this concept. But likewise I can imagine there are sites > that own example.com but without IP and they use two subdomain sites > like foo.example.com and bar.example.com that both set cookies for > example.com... These kind of sites is what is causing occasional problems. In Opera they can be worked around by setting an allow filter for the domain. IMO this problem is alleviated by the common procedure by sites to use example.com as an alias for www.example.com. > Unfortunately I don't have any particularly good idea on how to include > all this in our spec. I think perhaps the only thing to do is to include > a discussion about the problems and mention exactly this: a few ways > that current implmentations use. I might note that the DNSop community have strong opinions against assuming anything about different levels of the DNS hierarchy. (My summary: They don't like the current method of domain specification in cookies, and they don't like public suffix) >> Alternative 5: (which require an extensive change of the cookie >> specification) > > Right, but if changing the spec would even be considered we could easily > come up with many more alternatives... .-) Some have suggested that clients probe servers for permission before sending cookies. I think that long term domain owners should have a way define policies (such as cookies, scripting etc.) for their domain, possibly using a file format similar to what I have proposed for the public suffix system. One way to proceed, what might be called alternative 6 in combination with other requirements, is that each cookie is associated with its origin hostname, for example in the form of a "$origin=server.example.com" value. This would allow the server to distinguish between valid and invalid cookies. This does however require an extension of the Cookie header syntax and semantics. It would IMO be easy to implement, and servers should ignore the values if they do not understand them. Another way to proceed, which requires more changes to the spec, would be to deprecate "domain" for parent domain, and encourage adoption of domain=.hostname and/or a "subdomain=true" attribute, in combination with the $origin attribute -- Sincerely, Yngve N. Pettersen ******************************************************************** Senior Developer Email: yngve@opera.com Opera Software ASA http://www.opera.com/ Phone: +47 24 16 42 60 Fax: +47 24 16 40 01 ********************************************************************
- [http-state] Ticket 3: Public Suffixes Adam Barth
- Re: [http-state] Ticket 3: Public Suffixes Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [http-state] Ticket 3: Public Suffixes Daniel Stenberg
- Re: [http-state] Ticket 3: Public Suffixes Adam Barth
- Re: [http-state] Ticket 3: Public Suffixes Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [http-state] Ticket 3: Public Suffixes Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [http-state] Ticket 3: Public Suffixes corvid
- Re: [http-state] Ticket 3: Public Suffixes Adam Barth
- Re: [http-state] Ticket 3: Public Suffixes Adam Barth
- Re: [http-state] Ticket 3: Public Suffixes Adam Barth
- Re: [http-state] Ticket 3: Public Suffixes Yngve N. Pettersen (Developer Opera Software ASA)
- [http-state] Meeting in Anaheim? David Morris
- Re: [http-state] Meeting in Anaheim? Bil Corry