Re: [http-state] Browser Behaviors on Cookie Domain and Public Suffix

Zhong Yu <zhong.j.yu@gmail.com> Mon, 25 May 2015 02:01 UTC

Return-Path: <zhong.j.yu@gmail.com>
X-Original-To: http-state@ietfa.amsl.com
Delivered-To: http-state@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 422FC1A88B4 for <http-state@ietfa.amsl.com>; Sun, 24 May 2015 19:01:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.301
X-Spam-Level: *
X-Spam-Status: No, score=1.301 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_52=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LXjVnZib0gSY for <http-state@ietfa.amsl.com>; Sun, 24 May 2015 19:01:38 -0700 (PDT)
Received: from mail-ig0-x22e.google.com (mail-ig0-x22e.google.com [IPv6:2607:f8b0:4001:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CF6941A88B3 for <http-state@ietf.org>; Sun, 24 May 2015 19:01:37 -0700 (PDT)
Received: by igbpi8 with SMTP id pi8so27100145igb.1 for <http-state@ietf.org>; Sun, 24 May 2015 19:01:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=ExUE+K8xg70knX4tuEjxmfJFzO8QovAx3MJNBeMTbHw=; b=LVvbTu1qNG5FzawwGEeJK5I178FK53q51PGcR2MhmcTjyLOzKXbEQVvaX9l96T1eVc XLctJSUwnzb3HUvSicoxN33rItxGCfPg2HhjyMI9GQLf1PZaxpcp645Jjt0O59cMUTx0 KDkzPNAL34xh4mt+fTm8fcR9zxGmYrbwe/EZV3CLakFeh88gnWZkIo1CbK7i5fEiW6NU zv78P/L/ZDqK/dBde6EeNy2tpNR9WZIefoCjOLqs0aLhxwP+gWp2iKfHnmBhiKh2Py6O bmCuHahGLIArUpJqdZ7pN68J2uRjwtg4T8/++GU+WWwJu9yNZ2KSnrnW+xGmn1ay5BQn 583A==
MIME-Version: 1.0
X-Received: by 10.42.43.199 with SMTP id y7mr21822395ice.12.1432519297293; Sun, 24 May 2015 19:01:37 -0700 (PDT)
Received: by 10.64.98.33 with HTTP; Sun, 24 May 2015 19:01:37 -0700 (PDT)
In-Reply-To: <CACuKZqF_i9vSBeX54n9QV4tJhOgqiUjBWL4oVfv66WjXsWihUg@mail.gmail.com>
References: <CACuKZqF_i9vSBeX54n9QV4tJhOgqiUjBWL4oVfv66WjXsWihUg@mail.gmail.com>
Date: Sun, 24 May 2015 21:01:37 -0500
Message-ID: <CACuKZqEWKJKM7WOW7muBwP63LEMbLhLHpOnHNEun5VCKDK4wuw@mail.gmail.com>
From: Zhong Yu <zhong.j.yu@gmail.com>
To: http-state <http-state@ietf.org>
Content-Type: multipart/alternative; boundary="bcaec5196941d962ca0516de63e9"
Archived-At: <http://mailarchive.ietf.org/arch/msg/http-state/437D8YgcJOUTqsH0cnhSxBieS80>
Subject: Re: [http-state] Browser Behaviors on Cookie Domain and Public Suffix
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state/>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 May 2015 02:01:39 -0000

Based on the previous observations and reasonings, I'm going to propose an
Errata for rfc6265. Since the subject is messy and controversial, I'll wait
for some time though. If nobody objects, I'll submit the Errata on Thursday.

I think an errata is needed here because an implementer reading the RFC and
publicsuffix.org may have missed the nuances, and accidentally allowed
super cookies.

Proposed Errata: (technical)

Section 5.3 says:

   If the user agent is configured to reject "public suffixes" and the
domain-attribute is a public suffix:

           If the domain-attribute is identical to the canonicalized
request-host:

              Let the domain-attribute be the empty string.

           Otherwise:

              Ignore the cookie entirely and abort these steps.


It should say:

   If the user agent is configured to reject "public suffixes" and the
domain-attribute is a TLD, or a public suffix, or any parent domain of a
public suffix:

              Ignore the cookie entirely and abort these steps.


Notes:

1. "TLD" is explicitly mentioned, because a TLD may not be a public suffix.

2. "parent of public suffix" is explicitly mentioned, because it may not be
a public suffix.

3. The clause to set domain-attribute="" is removed for simplicity and
interoperability; only Firefox implements it; and it doesn't seem very
useful.

--

Zhong Yu
bayou.io