[http-state] Draft for $Origin attribute published
"Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com> Mon, 01 March 2010 23:31 UTC
Return-Path: <yngve@opera.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 000253A8883 for <http-state@core3.amsl.com>; Mon, 1 Mar 2010 15:31:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GabyUilS9wtz for <http-state@core3.amsl.com>; Mon, 1 Mar 2010 15:31:24 -0800 (PST)
Received: from smtp.opera.com (smtp.opera.com [213.236.208.81]) by core3.amsl.com (Postfix) with ESMTP id B25873A85B5 for <http-state@ietf.org>; Mon, 1 Mar 2010 15:31:23 -0800 (PST)
Received: from acorna (pat-tdc.opera.com [213.236.208.22]) (authenticated bits=0) by smtp.opera.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id o21NVLfB027050 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <http-state@ietf.org>; Mon, 1 Mar 2010 23:31:22 GMT
Content-Type: text/plain; charset="iso-8859-15"; format="flowed"; delsp="yes"
Date: Tue, 02 Mar 2010 00:31:14 +0100
To: Discuss HTTP State Management Mechanism <http-state@ietf.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
From: "Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com>
Organization: Opera Software AS
Message-ID: <op.u8wwycp7qrq7tp@acorna>
User-Agent: Opera Mail/10.10 (Win32)
Subject: [http-state] Draft for $Origin attribute published
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Mar 2010 23:31:25 -0000
Hello all, I have submitted a draft describing the $Origin Cookie header attribute I suggested during the public suffix discussion earlier. This document is based on the suggestion I've previously included in the Cookie-v2 draft. ---------------------- Filename: draft-pettersen-cookie-origin Revision: 00 Title: Identifying origin server of HTTP Cookies Creation_date: 2010-03-01 WG ID: Independent Submission Number_of_pages: 7 Abstract: HTTP Cookies, as originally defined by Netscape in [NETSC] andas later updated by [RFC2109] and [RFC2965] left unaddressed the issue of how to restrict which domains a server can set a cookie for, which is particularly a problem for servers hosted in top level domains have subdomains that are controlled by registries, not domain owners, e.g. co.uk and city.state.us domains. In such situations, unless the client uses some kind of domain black-list it is possible for a malicious server to set cookies that the client will send to all servers in a domain the attacker does not control, and these cookies may adversly affect the function of servers receiving them. The primary reason this is a problem is that the server receiving the cookie have no way of telling which server originally set it, and is therefore not able to reliably distinguish an invalid cookie from a valid cookie. This document proposes a new attribute, "$Origin", that is associated with each cookie and sent in all the client's Cookie header in the request to the server. Servers recognizing the attribute may then check to see if the cookie was set by a server allowed to set cookies for the server, and if necessary ignore the cookie. http://tools.ietf.org/id/draft-pettersen-cookie-origin-00.txt -- Sincerely, Yngve N. Pettersen ******************************************************************** Senior Developer Email: yngve@opera.com Opera Software ASA http://www.opera.com/ Phone: +47 24 16 42 60 Fax: +47 24 16 40 01 ********************************************************************
- [http-state] Draft for $Origin attribute published Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [http-state] Draft for $Origin attribute publ… Yngve N. Pettersen (Developer Opera Software ASA)