Re: [http-state] cake spec: server-side initiation only?
Adam Barth <ietf@adambarth.com> Fri, 03 December 2010 22:48 UTC
Return-Path: <ietf@adambarth.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 268373A67EF for <http-state@core3.amsl.com>; Fri, 3 Dec 2010 14:48:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.699
X-Spam-Level:
X-Spam-Status: No, score=-3.699 tagged_above=-999 required=5 tests=[AWL=-1.322, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, J_CHICKENPOX_33=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KInWGG+F2YiH for <http-state@core3.amsl.com>; Fri, 3 Dec 2010 14:48:33 -0800 (PST)
Received: from mail-gx0-f182.google.com (mail-gx0-f182.google.com [209.85.161.182]) by core3.amsl.com (Postfix) with ESMTP id 539093A67B4 for <http-state@ietf.org>; Fri, 3 Dec 2010 14:48:33 -0800 (PST)
Received: by gxk8 with SMTP id 8so32399850gxk.27 for <http-state@ietf.org>; Fri, 03 Dec 2010 14:49:51 -0800 (PST)
Received: by 10.90.113.11 with SMTP id l11mr2115204agc.70.1291416590980; Fri, 03 Dec 2010 14:49:50 -0800 (PST)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by mx.google.com with ESMTPS id g2sm1373248yhc.38.2010.12.03.14.49.49 (version=SSLv3 cipher=RC4-MD5); Fri, 03 Dec 2010 14:49:49 -0800 (PST)
Received: by iwn40 with SMTP id 40so12277615iwn.31 for <http-state@ietf.org>; Fri, 03 Dec 2010 14:49:48 -0800 (PST)
Received: by 10.231.11.3 with SMTP id r3mr2466643ibr.53.1291416588680; Fri, 03 Dec 2010 14:49:48 -0800 (PST)
MIME-Version: 1.0
Received: by 10.231.12.77 with HTTP; Fri, 3 Dec 2010 14:49:18 -0800 (PST)
In-Reply-To: <SNT129-DS436A3F42F5FB24CA89483A4280@phx.gbl>
References: <SNT129-DS436A3F42F5FB24CA89483A4280@phx.gbl>
From: Adam Barth <ietf@adambarth.com>
Date: Fri, 03 Dec 2010 14:49:18 -0800
Message-ID: <AANLkTimDRJkwXoXt-2Lm6qNjEVcRN5bqdN01_G2+8Df_@mail.gmail.com>
To: Mike Wilson <mikewse@hotmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: http-state@ietf.org
Subject: Re: [http-state] cake spec: server-side initiation only?
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Dec 2010 22:48:34 -0000
On Fri, Dec 3, 2010 at 12:01 PM, Mike Wilson <mikewse@hotmail.com> wrote: > Reading http://www.ietf.org/id/draft-abarth-cake-00.txt, > I wonder if client-side nonce generation (as initially > proposed on the mailing list) was dropped altogether or > just hasn't been speced yet? Yeah, I haven't updated that document with my current thinking. I've been looking at a bunch of different variations in code. Here's one recent prototype: http://codereview.chromium.org/4630001/ In case you're not familiar with Chrome's code base, the way this works is as follows: Set-Cookie: foo=bar; Origin Using the Origin attribute sets the scope of the cookie to the current origin (scheme, host, and port). The Origin attribute overrides the Domain and Path attributes. Additionally, the cookie is returned to the server in the Origin-Cookie header: Origin-Cookie: foo=bar The reason we return the cookie in a separate header is so the server can know that the cookie was set by its own origin. If we returned the cookie in the Cookie header, then an attacker could inject a non-Origin cookie with the same name and confuse the server. On Fri, Dec 3, 2010 at 12:02 PM, Mike Wilson <mikewse@hotmail.com> wrote: > Earlier this year [1] we discussed state scoped on individual > windows or tabs: > > [...] > > I see that you have addressed CSRF in cakes. Were/are you thinking > that cakes is the better place to add future window scopes to? Independently of the Origin attribute, I think an "instance" attribute make sense. Here we'd want to follow the same scoping rules as sessionStorage (at the application layer). In particular, each tab has a separate scope, but if one tab is created from another, it starts off with a clone of the previous tab's state. These attributes are independent but combine nicely (as well as combining nicely with the HttpOnly attribute). Adam