Re: [http-state] Browser Behaviors on Cookie Domain and Public Suffix
Zhong Yu <zhong.j.yu@gmail.com> Thu, 28 May 2015 15:11 UTC
Return-Path: <zhong.j.yu@gmail.com>
X-Original-To: http-state@ietfa.amsl.com
Delivered-To: http-state@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4CF2D1AD0B3 for <http-state@ietfa.amsl.com>; Thu, 28 May 2015 08:11:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.001
X-Spam-Level:
X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_52=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zh_cAYQsMRiC for <http-state@ietfa.amsl.com>; Thu, 28 May 2015 08:11:01 -0700 (PDT)
Received: from mail-ig0-x22d.google.com (mail-ig0-x22d.google.com [IPv6:2607:f8b0:4001:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2EDF11AD352 for <http-state@ietf.org>; Thu, 28 May 2015 08:10:56 -0700 (PDT)
Received: by igbpi8 with SMTP id pi8so116236291igb.0 for <http-state@ietf.org>; Thu, 28 May 2015 08:10:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=Xmkut3APMm9aM2+9WzK4QTrVCl84iId007w5yVaoQsg=; b=tiHBNPONMjFiH/SYzO26SZgWORlAvIdPPpAvXeSiLhOGON8VrZe+Qp0cknD3UYc4IE kBttIRySZmD4OjYdvaz2B77eGWGQDzekbuIP8GmZhopzEEa4B1ViUMzuqaGNY1ixpEi0 uOIavb+UzZvrUKfYJKFnOwWuv4HKSvsT87jI22r2xwog0NCyKJoMPmPFk2c2fdMmc80N VEnNvps4gDTRrKbhTI6YhN6keqeVMLSSterqD5ynMB4kcq+ugcEJtrPRTh2vSbTkZenG y8qOiU+GBgvRcNGiOjos37Bhx1bor99MWlYRi4htrHOCY7p1ChHl70IDDRYgbJXmx8vW 74Sw==
MIME-Version: 1.0
X-Received: by 10.50.64.244 with SMTP id r20mr43723061igs.33.1432825855637; Thu, 28 May 2015 08:10:55 -0700 (PDT)
Received: by 10.64.98.33 with HTTP; Thu, 28 May 2015 08:10:55 -0700 (PDT)
In-Reply-To: <CACuKZqEWKJKM7WOW7muBwP63LEMbLhLHpOnHNEun5VCKDK4wuw@mail.gmail.com>
References: <CACuKZqF_i9vSBeX54n9QV4tJhOgqiUjBWL4oVfv66WjXsWihUg@mail.gmail.com> <CACuKZqEWKJKM7WOW7muBwP63LEMbLhLHpOnHNEun5VCKDK4wuw@mail.gmail.com>
Date: Thu, 28 May 2015 10:10:55 -0500
Message-ID: <CACuKZqHbvwT9pJKJWfC1dgMrTL--tpu7SrOah=YrwAqJppF3Ug@mail.gmail.com>
From: Zhong Yu <zhong.j.yu@gmail.com>
To: http-state <http-state@ietf.org>
Content-Type: multipart/alternative; boundary="047d7bea3d22267d87051725c4e5"
Archived-At: <http://mailarchive.ietf.org/arch/msg/http-state/AB-DrXVrpHINUR4kQEfAs13eb7U>
Subject: Re: [http-state] Browser Behaviors on Cookie Domain and Public Suffix
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state/>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 May 2015 15:11:02 -0000
I will not file the errata at this time; the situation at publicsuffix.org is quite confusing [1] ; we need more time before things settle down. Implementers depending on rfc6265 and publicsuffix.org need to figure out what to do on their own. [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1139842#c69 Zhong Yu bayou.io On Sun, May 24, 2015 at 9:01 PM, Zhong Yu <zhong.j.yu@gmail.com> wrote: > Based on the previous observations and reasonings, I'm going to propose an > Errata for rfc6265. Since the subject is messy and controversial, I'll wait > for some time though. If nobody objects, I'll submit the Errata on Thursday. > > I think an errata is needed here because an implementer reading the RFC > and publicsuffix.org may have missed the nuances, and accidentally > allowed super cookies. > > Proposed Errata: (technical) > > Section 5.3 says: > > If the user agent is configured to reject "public suffixes" and the > domain-attribute is a public suffix: > > If the domain-attribute is identical to the canonicalized > request-host: > > Let the domain-attribute be the empty string. > > Otherwise: > > Ignore the cookie entirely and abort these steps. > > > It should say: > > If the user agent is configured to reject "public suffixes" and the > domain-attribute is a TLD, or a public suffix, or any parent domain of a > public suffix: > > Ignore the cookie entirely and abort these steps. > > > Notes: > > 1. "TLD" is explicitly mentioned, because a TLD may not be a public suffix. > > 2. "parent of public suffix" is explicitly mentioned, because it may not > be a public suffix. > > 3. The clause to set domain-attribute="" is removed for simplicity and > interoperability; only Firefox implements it; and it doesn't seem very > useful. > > -- > > Zhong Yu > bayou.io >