MIME-Version: 1.0
In-Reply-To: <CACuKZqEWKJKM7WOW7muBwP63LEMbLhLHpOnHNEun5VCKDK4wuw@mail.gmail.com>
References: <CACuKZqF_i9vSBeX54n9QV4tJhOgqiUjBWL4oVfv66WjXsWihUg@mail.gmail.com>
 <CACuKZqEWKJKM7WOW7muBwP63LEMbLhLHpOnHNEun5VCKDK4wuw@mail.gmail.com>
Date: Thu, 28 May 2015 10:10:55 -0500
Message-ID: <CACuKZqHbvwT9pJKJWfC1dgMrTL--tpu7SrOah=YrwAqJppF3Ug@mail.gmail.com>
From: Zhong Yu <zhong.j.yu@gmail.com>
To: http-state <http-state@ietf.org>
Content-Type: multipart/alternative; boundary=047d7bea3d22267d87051725c4e5
Archived-At: <http://mailarchive.ietf.org/arch/msg/http-state/AB-DrXVrpHINUR4kQEfAs13eb7U>
Subject: Re: [http-state] Browser Behaviors on Cookie Domain and Public Suffix
Precedence: list

--047d7bea3d22267d87051725c4e5
Content-Type: text/plain; charset=UTF-8

I will not file the errata at this time; the situation at publicsuffix.org
is quite confusing [1] ; we need more time before things settle down.
Implementers depending on rfc6265 and publicsuffix.org need to figure out
what to do on their own.

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1139842#c69

Zhong Yu
bayou.io


On Sun, May 24, 2015 at 9:01 PM, Zhong Yu <zhong.j.yu@gmail.com> wrote:

> Based on the previous observations and reasonings, I'm going to propose an
> Errata for rfc6265. Since the subject is messy and controversial, I'll wait
> for some time though. If nobody objects, I'll submit the Errata on Thursday.
>
> I think an errata is needed here because an implementer reading the RFC
> and publicsuffix.org may have missed the nuances, and accidentally
> allowed super cookies.
>
> Proposed Errata: (technical)
>
> Section 5.3 says:
>
>    If the user agent is configured to reject "public suffixes" and the
> domain-attribute is a public suffix:
>
>            If the domain-attribute is identical to the canonicalized
> request-host:
>
>               Let the domain-attribute be the empty string.
>
>            Otherwise:
>
>               Ignore the cookie entirely and abort these steps.
>
>
> It should say:
>
>    If the user agent is configured to reject "public suffixes" and the
> domain-attribute is a TLD, or a public suffix, or any parent domain of a
> public suffix:
>
>               Ignore the cookie entirely and abort these steps.
>
>
> Notes:
>
> 1. "TLD" is explicitly mentioned, because a TLD may not be a public suffix.
>
> 2. "parent of public suffix" is explicitly mentioned, because it may not
> be a public suffix.
>
> 3. The clause to set domain-attribute="" is removed for simplicity and
> interoperability; only Firefox implements it; and it doesn't seem very
> useful.
>
> --
>
> Zhong Yu
> bayou.io
>

--047d7bea3d22267d87051725c4e5
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div><div>I will not file the errata at this time; the sit=
uation at <a href=3D"http://publicsuffix.org" target=3D"_blank">publicsuffi=
x.org</a> is quite confusing [1] ; we need more time before things settle d=
own. Implementers depending on rfc6265 and <a href=3D"http://publicsuffix.o=
rg" target=3D"_blank">publicsuffix.org</a> need to figure out what to do on=
 their own.<br><br>[1] <a href=3D"https://bugzilla.mozilla.org/show_bug.cgi=
?id=3D1139842#c69">https://bugzilla.mozilla.org/show_bug.cgi?id=3D1139842#c=
69</a><br><br></div>Zhong Yu<br></div><a href=3D"http://bayou.io" target=3D=
"_blank">bayou.io</a><br><br></div><div class=3D"gmail_extra"><br><div clas=
s=3D"gmail_quote">On Sun, May 24, 2015 at 9:01 PM, Zhong Yu <span dir=3D"lt=
r">&lt;<a href=3D"mailto:zhong.j.yu@gmail.com" target=3D"_blank">zhong.j.yu=
@gmail.com</a>&gt;</span> wrote:<br><blockquote class=3D"gmail_quote" style=
=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir=
=3D"ltr"><div>Based on the previous observations and reasonings, I&#39;m go=
ing to propose an Errata for rfc6265. Since the subject is messy and contro=
versial, I&#39;ll wait for some time though. If nobody objects, I&#39;ll su=
bmit the Errata on Thursday.<br><br></div>I think an errata is needed here =
because an implementer reading the RFC and <a href=3D"http://publicsuffix.o=
rg" target=3D"_blank">publicsuffix.org</a> may have missed the nuances, and=
 accidentally allowed super cookies.<br><div><br>Proposed Errata: (technica=
l)<br><br>Section 5.3 says:<br><br>=C2=A0=C2=A0 If the user agent is config=
ured to reject &quot;public suffixes&quot; and the domain-attribute is a pu=
blic suffix:<br><br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0If the domain-=
attribute is identical to the canonicalized request-host:<br><br>=C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Let the domain-attribute be the empt=
y string.<br><br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0Otherwise:<br><br=
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Ignore the cookie entirel=
y and abort these steps.<br><br><br>It should say:<br><br>=C2=A0=C2=A0 If t=
he user agent is configured to reject &quot;public suffixes&quot; and the d=
omain-attribute is a TLD, or a public suffix, or any parent domain of a pub=
lic suffix:<br><br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Ignore =
the cookie entirely and abort these steps.<br><br><br></div><div>Notes:<br>=
<br></div><div>1. &quot;TLD&quot; is explicitly mentioned, because a TLD ma=
y not be a public suffix.<br><br></div><div>2. &quot;parent of public suffi=
x&quot; is explicitly mentioned, because it may not be a public suffix.<br>=
<br></div><div>3. The clause to set domain-attribute=3D&quot;&quot; is remo=
ved for simplicity and interoperability; only Firefox implements it; and it=
 doesn&#39;t seem very useful.<br></div><div><br>--<br><br>Zhong Yu<br><a h=
ref=3D"http://bayou.io" target=3D"_blank">bayou.io</a></div></div>
</blockquote></div><br></div>

--047d7bea3d22267d87051725c4e5--