Re: [http-state] Draft for $Origin attribute published

"Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com> Sun, 07 March 2010 19:45 UTC

Return-Path: <yngve@opera.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3D9C83A917F for <http-state@core3.amsl.com>; Sun, 7 Mar 2010 11:45:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.932
X-Spam-Level:
X-Spam-Status: No, score=-6.932 tagged_above=-999 required=5 tests=[AWL=-0.333, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5agEjjrdy2pS for <http-state@core3.amsl.com>; Sun, 7 Mar 2010 11:45:01 -0800 (PST)
Received: from smtp.opera.com (smtp.opera.com [213.236.208.81]) by core3.amsl.com (Postfix) with ESMTP id 1068A3A9003 for <http-state@ietf.org>; Sun, 7 Mar 2010 11:45:00 -0800 (PST)
Received: from acorna (6.211.16.62.customer.cdi.no [62.16.211.6]) (authenticated bits=0) by smtp.opera.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id o27Jj1OC028426 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <http-state@ietf.org>; Sun, 7 Mar 2010 19:45:02 GMT
Content-Type: text/plain; charset=iso-8859-15; format=flowed; delsp=yes
To: "Discuss HTTP State Management Mechanism" <http-state@ietf.org>
References: <op.u8wwycp7qrq7tp@acorna>
Date: Sun, 07 Mar 2010 20:44:55 +0100
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
From: "Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com>
Organization: Opera Software AS
Message-ID: <op.u87qg51uqrq7tp@acorna>
In-Reply-To: <op.u8wwycp7qrq7tp@acorna>
User-Agent: Opera Mail/10.10 (Win32)
Subject: Re: [http-state] Draft for $Origin attribute published
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Mar 2010 19:45:02 -0000

Hello all,

A slightly edited version of the $Origin draft has been sumbitted.

http://www.ietf.org/id/draft-pettersen-cookie-origin-01.txt

-----------


A new version of I-D, draft-pettersen-cookie-origin-01.txt has been  
successfuly submitted by Yngve Pettersen and posted to the IETF repository.

Filename:	 draft-pettersen-cookie-origin
Revision:	 01
Title:		 Identifying origin server of HTTP Cookies
Creation_date:	 2010-03-07
WG ID:		 Independent Submission
Number_of_pages: 7

Abstract:
HTTP Cookies, as originally defined by Netscape in [NETSC] and as
later updated by [RFC2109] and [RFC2965] did not address the issue of
how to restrict which domains a server is allowed to set a cookie
for: This is particularly a problem for servers hosted in top level
domains having subdomains that are controlled by registries and not
by domain owners, e.g. co.uk and city.state.us domains.  In such
situations, unless the client uses some kind of domain black-list, it
is possible for a malicious server to set cookies so they are sent to
all servers in a domain the attacker does not control.  These cookies
may adversly affect the function of servers receiving them.  The
primary reason this is a problem is that the server receiving the
cookie has no way of telling which server originally set it, and is
therefore not able to reliably distinguish an invalid cookie from a
valid cookie.

This document proposes a new attribute, "$Origin", that is associated
with each cookie and sent in all client cookie headers in the
requests sent to the server.  Servers recognizing the attribute may
then check to see if the cookie was set by a server which is allowed
to set cookies for the server, and if necessary ignore the cookie.

-- 
Sincerely,
Yngve N. Pettersen

********************************************************************
Senior Developer                     Email: yngve@opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 24 16 42 60              Fax:    +47 24 16 40 01
********************************************************************