Re: [http-state] cake spec: server-side initiation only?
Mike Wilson <mikewse@hotmail.com> Fri, 03 December 2010 23:47 UTC
Return-Path: <mikewse@hotmail.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D64633A69D9 for <http-state@core3.amsl.com>; Fri, 3 Dec 2010 15:47:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[AWL=0.722, BAYES_00=-2.599, J_CHICKENPOX_33=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZlIDrSl3aPSM for <http-state@core3.amsl.com>; Fri, 3 Dec 2010 15:47:58 -0800 (PST)
Received: from snt0-omc2-s31.snt0.hotmail.com (snt0-omc2-s31.snt0.hotmail.com [65.55.90.106]) by core3.amsl.com (Postfix) with ESMTP id 07ED83A69D8 for <http-state@ietf.org>; Fri, 3 Dec 2010 15:47:57 -0800 (PST)
Received: from SNT129-DS18 ([65.55.90.71]) by snt0-omc2-s31.snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Fri, 3 Dec 2010 15:49:16 -0800
X-Originating-IP: [83.227.224.93]
X-Originating-Email: [mikewse@hotmail.com]
Message-ID: <SNT129-DS18EED7DB682AB192036942A4280@phx.gbl>
From: Mike Wilson <mikewse@hotmail.com>
To: 'Adam Barth' <ietf@adambarth.com>
Date: Sat, 04 Dec 2010 00:48:28 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
Thread-Index: AcuTPGV5h4CpTxRTSr6S8TCH9kCN7QABiDjA
In-Reply-To: <AANLkTimDRJkwXoXt-2Lm6qNjEVcRN5bqdN01_G2+8Df_@mail.gmail.com>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3350
X-OriginalArrivalTime: 03 Dec 2010 23:49:16.0341 (UTC) FILETIME=[B1FD2E50:01CB9344]
Cc: http-state@ietf.org
Subject: Re: [http-state] cake spec: server-side initiation only?
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Dec 2010 23:47:58 -0000
Adam Barth wrote: > On Fri, Dec 3, 2010 at 12:01 PM, Mike Wilson > <mikewse@hotmail.com> wrote: > > Reading http://www.ietf.org/id/draft-abarth-cake-00.txt, > > I wonder if client-side nonce generation (as initially > > proposed on the mailing list) was dropped altogether or > > just hasn't been speced yet? > > [...] > > Set-Cookie: foo=bar; Origin > > Using the Origin attribute sets the scope of the cookie to the current > origin (scheme, host, and port). The Origin attribute overrides the > Domain and Path attributes. Additionally, the cookie is returned to > the server in the Origin-Cookie header: > > Origin-Cookie: foo=bar > > The reason we return the cookie in a separate header is so the server > can know that the cookie was set by its own origin. If we returned > the cookie in the Cookie header, then an attacker could inject a > non-Origin cookie with the same name and confuse the server. Ok, so you are thinking about an extension to cookies instead of a new cake mechanism. > On Fri, Dec 3, 2010 at 12:02 PM, Mike Wilson > <mikewse@hotmail.com> wrote: > > Earlier this year [1] we discussed state scoped on individual > > windows or tabs: > > > > [...] > > > > I see that you have addressed CSRF in cakes. Were/are you thinking > > that cakes is the better place to add future window scopes to? > > Independently of the Origin attribute, I think an "instance" attribute > make sense. Here we'd want to follow the same scoping rules as > sessionStorage (at the application layer). In particular, each tab > has a separate scope, but if one tab is created from another, it > starts off with a clone of the previous tab's state. I think more scopes than user_agent and browsing_context could be interesting so I would not go for a boolean attribute. Anyway, is now a good time to start looking at these factors, or is there other work you want to finish first? Best regards Mike