Re: [http-state] Origin cookies
"Remy Lebeau" <remy@lebeausoftware.org> Sun, 06 March 2011 02:59 UTC
Return-Path: <SRS0=NQiGmf=V7=lebeausoftware.org=remy@srs.bis.na.blackberry.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E72173A6A42 for <http-state@core3.amsl.com>; Sat, 5 Mar 2011 18:59:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.742
X-Spam-Level:
X-Spam-Status: No, score=-4.742 tagged_above=-999 required=5 tests=[AWL=0.104, BAYES_00=-2.599, MIME_BASE64_TEXT=1.753, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eezoZulyTeFQ for <http-state@core3.amsl.com>; Sat, 5 Mar 2011 18:59:08 -0800 (PST)
Received: from smtp15.bis.na.blackberry.com (smtp15.bis.na.blackberry.com [216.9.248.29]) by core3.amsl.com (Postfix) with ESMTP id C821C3A6A41 for <http-state@ietf.org>; Sat, 5 Mar 2011 18:59:07 -0800 (PST)
Received: from bda933.bisx.prod.on.blackberry (bda933.bisx.prod.on.blackberry [172.20.220.96]) by srs.bis.na.blackberry.com (8.13.7 TEAMON/8.13.7) with ESMTP id p2630Eu5009122 for <http-state@ietf.org>; Sun, 6 Mar 2011 03:00:14 GMT
Received: from bda933.bisx.prod.on.blackberry (localhost.localdomain [127.0.0.1]) by bda933.bisx.prod.on.blackberry (8.13.7 TEAMON/8.13.7) with ESMTP id p2630Evp016335 for <http-state@ietf.org>; Sun, 6 Mar 2011 03:00:14 GMT
X-rim-org-msg-ref-id: 420023720
Message-ID: <420023720-1299380409-cardhu_decombobulator_blackberry.rim.net-1702579028-@bda461.bisx.prod.on.blackberry>
Content-Transfer-Encoding: base64
X-Priority: Normal
References: <AANLkTikTWEyOrUCZo3CbZeN61eqXEZ2JYeELV=R+paye@mail.gmail.com>
In-Reply-To: <AANLkTikTWEyOrUCZo3CbZeN61eqXEZ2JYeELV=R+paye@mail.gmail.com>
Sensitivity: Normal
Importance: Normal
To: http-state <http-state@ietf.org>
From: Remy Lebeau <remy@lebeausoftware.org>
Date: Sun, 06 Mar 2011 03:00:13 +0000
Content-Type: text/plain
MIME-Version: 1.0
Subject: Re: [http-state] Origin cookies
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: remy@lebeausoftware.org
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 06 Mar 2011 02:59:55 -0000
Other than a typo near the end: "... the non-origin cookies are returned in the Origin-Cookie header field." I don't understand why a separate Origin-Cookie request header is needed. It seems the Origin attribute of a cookie simply says the cookie can only be sent back to the URL it came from, while the Path/Domain/Secure attributes allow the cookie to be sent to any URL that satisfies the combo. So why add extra complexity of a new header? How does the server validate the legitimacy of the Origin-Cookie versus what it already validates for the Cookie header? -----Original Message----- From: Adam Barth <ietf@adambarth.com> Sender: http-state-bounces@ietf.org Date: Sat, 5 Mar 2011 17:46:54 To: http-state<http-state@ietf.org> Subject: [http-state] Origin cookies Hi http-state, Now that we're done with phase 1, I've updated my phase 2 proposal: http://www.ietf.org/id/draft-abarth-cake-01.txt There's a bunch of boilerplate (and missing sections) in that document. The main idea is to provide a new cookie attribute that lets server harmonize the security policy of their cookies with the same-origin policy. Harmonizing the two policies has a number of general security benefits because security vulnerabilities often arise when there's an impedance mismatch between security policies. Specifically, origin cookies mitigate an important security hole in cookies by preventing active network attackers from setting cookies that overwrite the session identifies used by HTTPS web sites, e.g. as described in Section 8.6 of draft-ietf-httpstate-cookie. Let me know if you have any feedback. Thanks! Adam ----8<---- Abstract This document defines the Origin attribute for cookies, which lets servers harmonize the security policy of their cookies with the widely used same-origin policy. Origin cookies provide both confidentiality and integrity, unlike the Secure attribute, which provides only confidentiality. 3. Overview Using the Origin attribute, a server can set a cookie for its origin. Unlike the Path, Domain, and Secure attributes, the Origin attribute harmonizes the security properties of the cookie with the same-origin policy [cite: Principles of Origin]. In particular, the Origin attribute provides both confidentiality and integrity from other origins. The Origin attribute superceeds the Path, Domain, and Secure attributes. The server can set these attributes as well to control the scope of cookies in legacy user agents. User agents that support origin cookies will ignore these attributes when the Origin attribute is present. Origin cookies are returned from the user agent to the server in the Origin-Cookie header field and not the Cookie header field because the Cookie header field does not provide any information about the source of the cookie. When the server receives a cookie in the Origin-Cookie header field, the server can reason that the cookie was set by its own origin, and not injected by another origin. 3.1. Examples The server can set an origin cookie, which is returned in the Origin- Cookie header field. Origin cookies support all the same attributes as other kinds of cookies, except Path, Domain, and Secure, which are ignored. == Server -> User Agent == Set-Cookie: SID=31d4d96e407aad42; Origin == User Agent -> Server == Origin-Cookie: SID=31d4d96e407aad42 Non-origin cookies are returned in the Cookie header as usual. If the user agent sends the server both origin and non-origin cookies, the origin cookies are returned in the Origin-Cookie header field and the non-origin cookies are returned in the Origin-Cookie header field. == Server -> User Agent == Set-Cookie: SID=31d4d96e407aad42; Origin Set-Cookie: lang=en-US; Path=/; Domain=example.com == User Agent -> Server == Cookie: lang=en-US Origin-Cookie: SID=31d4d96e407aad42 ---->8---- _______________________________________________ http-state mailing list http-state@ietf.org https://www.ietf.org/mailman/listinfo/http-state
- [http-state] Origin cookies Adam Barth
- Re: [http-state] Origin cookies Remy Lebeau
- Re: [http-state] Origin cookies Adam Barth
- Re: [http-state] Origin cookies tho
- Re: [http-state] Origin cookies Adam Barth
- Re: [http-state] Origin cookies tho
- Re: [http-state] Origin cookies Adam Barth
- Re: [http-state] Origin cookies tho
- Re: [http-state] Origin cookies Adam Barth
- Re: [http-state] Origin cookies tho