[http-state] Draft for $Origin attribute published

"Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com> Mon, 01 March 2010 23:31 UTC

Return-Path: <yngve@opera.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id 000253A8883 for <http-state@core3.amsl.com>; Mon, 1 Mar 2010 15:31:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id GabyUilS9wtz for <http-state@core3.amsl.com>; Mon, 1 Mar 2010 15:31:24 -0800 (PST)
Received: from smtp.opera.com (smtp.opera.com []) by core3.amsl.com (Postfix) with ESMTP id B25873A85B5 for <http-state@ietf.org>; Mon, 1 Mar 2010 15:31:23 -0800 (PST)
Received: from acorna (pat-tdc.opera.com []) (authenticated bits=0) by smtp.opera.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id o21NVLfB027050 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <http-state@ietf.org>; Mon, 1 Mar 2010 23:31:22 GMT
Content-Type: text/plain; charset=iso-8859-15; format=flowed; delsp=yes
Date: Tue, 02 Mar 2010 00:31:14 +0100
To: "Discuss HTTP State Management Mechanism" <http-state@ietf.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
From: "Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com>
Organization: Opera Software AS
Message-ID: <op.u8wwycp7qrq7tp@acorna>
User-Agent: Opera Mail/10.10 (Win32)
Subject: [http-state] Draft for $Origin attribute published
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Mar 2010 23:31:25 -0000

Hello all,

I have submitted a draft describing the $Origin Cookie header attribute I  
suggested during the public suffix discussion earlier.

This document is based on the suggestion I've previously included in the  
Cookie-v2 draft.

Filename:	 draft-pettersen-cookie-origin
Revision:	 00
Title:		 Identifying origin server of HTTP Cookies
Creation_date:	 2010-03-01
WG ID:		 Independent Submission
Number_of_pages: 7

HTTP Cookies, as originally defined by Netscape in [NETSC] andas
later updated by [RFC2109] and [RFC2965] left unaddressed the issue
of how to restrict which domains a server can set a cookie for, which
is particularly a problem for servers hosted in top level domains
have subdomains that are controlled by registries, not domain owners,
e.g. co.uk and city.state.us domains.  In such situations, unless the
client uses some kind of domain black-list it is possible for a
malicious server to set cookies that the client will send to all
servers in a domain the attacker does not control, and these cookies
may adversly affect the function of servers receiving them.  The
primary reason this is a problem is that the server receiving the
cookie have no way of telling which server originally set it, and is
therefore not able to reliably distinguish an invalid cookie from a
valid cookie.  This document proposes a new attribute, "$Origin",
that is associated with each cookie and sent in all the client's
Cookie header in the request to the server.  Servers recognizing the
attribute may then check to see if the cookie was set by a server
allowed to set cookies for the server, and if necessary ignore the


Yngve N. Pettersen

Senior Developer                     Email: yngve@opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 24 16 42 60              Fax:    +47 24 16 40 01