Re: [http-state] Browser Behaviors on Cookie Domain and Public Suffix

Zhong Yu <zhong.j.yu@gmail.com> Thu, 28 May 2015 15:11 UTC

Return-Path: <zhong.j.yu@gmail.com>
X-Original-To: http-state@ietfa.amsl.com
Delivered-To: http-state@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4CF2D1AD0B3 for <http-state@ietfa.amsl.com>; Thu, 28 May 2015 08:11:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.001
X-Spam-Level:
X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_52=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zh_cAYQsMRiC for <http-state@ietfa.amsl.com>; Thu, 28 May 2015 08:11:01 -0700 (PDT)
Received: from mail-ig0-x22d.google.com (mail-ig0-x22d.google.com [IPv6:2607:f8b0:4001:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2EDF11AD352 for <http-state@ietf.org>; Thu, 28 May 2015 08:10:56 -0700 (PDT)
Received: by igbpi8 with SMTP id pi8so116236291igb.0 for <http-state@ietf.org>; Thu, 28 May 2015 08:10:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=Xmkut3APMm9aM2+9WzK4QTrVCl84iId007w5yVaoQsg=; b=tiHBNPONMjFiH/SYzO26SZgWORlAvIdPPpAvXeSiLhOGON8VrZe+Qp0cknD3UYc4IE kBttIRySZmD4OjYdvaz2B77eGWGQDzekbuIP8GmZhopzEEa4B1ViUMzuqaGNY1ixpEi0 uOIavb+UzZvrUKfYJKFnOwWuv4HKSvsT87jI22r2xwog0NCyKJoMPmPFk2c2fdMmc80N VEnNvps4gDTRrKbhTI6YhN6keqeVMLSSterqD5ynMB4kcq+ugcEJtrPRTh2vSbTkZenG y8qOiU+GBgvRcNGiOjos37Bhx1bor99MWlYRi4htrHOCY7p1ChHl70IDDRYgbJXmx8vW 74Sw==
MIME-Version: 1.0
X-Received: by 10.50.64.244 with SMTP id r20mr43723061igs.33.1432825855637; Thu, 28 May 2015 08:10:55 -0700 (PDT)
Received: by 10.64.98.33 with HTTP; Thu, 28 May 2015 08:10:55 -0700 (PDT)
In-Reply-To: <CACuKZqEWKJKM7WOW7muBwP63LEMbLhLHpOnHNEun5VCKDK4wuw@mail.gmail.com>
References: <CACuKZqF_i9vSBeX54n9QV4tJhOgqiUjBWL4oVfv66WjXsWihUg@mail.gmail.com> <CACuKZqEWKJKM7WOW7muBwP63LEMbLhLHpOnHNEun5VCKDK4wuw@mail.gmail.com>
Date: Thu, 28 May 2015 10:10:55 -0500
Message-ID: <CACuKZqHbvwT9pJKJWfC1dgMrTL--tpu7SrOah=YrwAqJppF3Ug@mail.gmail.com>
From: Zhong Yu <zhong.j.yu@gmail.com>
To: http-state <http-state@ietf.org>
Content-Type: multipart/alternative; boundary=047d7bea3d22267d87051725c4e5
Archived-At: <http://mailarchive.ietf.org/arch/msg/http-state/AB-DrXVrpHINUR4kQEfAs13eb7U>
Subject: Re: [http-state] Browser Behaviors on Cookie Domain and Public Suffix
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state/>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 May 2015 15:11:02 -0000

I will not file the errata at this time; the situation at publicsuffix.org
is quite confusing [1] ; we need more time before things settle down.
Implementers depending on rfc6265 and publicsuffix.org need to figure out
what to do on their own.

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1139842#c69

Zhong Yu
bayou.io


On Sun, May 24, 2015 at 9:01 PM, Zhong Yu <zhong.j.yu@gmail.com>; wrote:

> Based on the previous observations and reasonings, I'm going to propose an
> Errata for rfc6265. Since the subject is messy and controversial, I'll wait
> for some time though. If nobody objects, I'll submit the Errata on Thursday.
>
> I think an errata is needed here because an implementer reading the RFC
> and publicsuffix.org may have missed the nuances, and accidentally
> allowed super cookies.
>
> Proposed Errata: (technical)
>
> Section 5.3 says:
>
>    If the user agent is configured to reject "public suffixes" and the
> domain-attribute is a public suffix:
>
>            If the domain-attribute is identical to the canonicalized
> request-host:
>
>               Let the domain-attribute be the empty string.
>
>            Otherwise:
>
>               Ignore the cookie entirely and abort these steps.
>
>
> It should say:
>
>    If the user agent is configured to reject "public suffixes" and the
> domain-attribute is a TLD, or a public suffix, or any parent domain of a
> public suffix:
>
>               Ignore the cookie entirely and abort these steps.
>
>
> Notes:
>
> 1. "TLD" is explicitly mentioned, because a TLD may not be a public suffix.
>
> 2. "parent of public suffix" is explicitly mentioned, because it may not
> be a public suffix.
>
> 3. The clause to set domain-attribute="" is removed for simplicity and
> interoperability; only Firefox implements it; and it doesn't seem very
> useful.
>
> --
>
> Zhong Yu
> bayou.io
>