[http-state] Closing Ticket 3: Public Suffixes

Adam Barth <ietf@adambarth.com> Fri, 22 January 2010 00:10 UTC

Return-Path: <adam@adambarth.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id 2A79E3A6AF0 for <http-state@core3.amsl.com>; Thu, 21 Jan 2010 16:10:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[AWL=0.066, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id MPQhht7r2+v2 for <http-state@core3.amsl.com>; Thu, 21 Jan 2010 16:10:07 -0800 (PST)
Received: from mail-pz0-f198.google.com (mail-pz0-f198.google.com []) by core3.amsl.com (Postfix) with ESMTP id B77883A63EC for <http-state@ietf.org>; Thu, 21 Jan 2010 16:10:07 -0800 (PST)
Received: by pzk36 with SMTP id 36so437563pzk.5 for <http-state@ietf.org>; Thu, 21 Jan 2010 16:10:01 -0800 (PST)
MIME-Version: 1.0
Received: by with SMTP id c1mr1502047wfj.17.1264119001159; Thu, 21 Jan 2010 16:10:01 -0800 (PST)
From: Adam Barth <ietf@adambarth.com>
Date: Thu, 21 Jan 2010 16:09:41 -0800
Message-ID: <7789133a1001211609p4130e515ye968fbc0dc99cb5e@mail.gmail.com>
To: http-state <http-state@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"
Subject: [http-state] Closing Ticket 3: Public Suffixes
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jan 2010 00:10:11 -0000

Discussion about Ticket 3 seems to have quieted down.

== Summary of Discussion ==

No one supported the idea of a specific hard-coded list of public suffixes.

Corvid supported the approach of a recommend heuristic, but Yngve
argued that the proposed heuristic was sufficiently wrong as to be

No one supported the idea of ignoring the issue entirely.

Yngve proposed the idea of using DNS queries for A records to deduce
the public suffix list but later agreed that NX ISPs (like comcast)
could cause this approach to fail in the future.

Yngve proposed reversing the domain semantics, but this is too great a
change to the semantics of the protocol for phase one.

Yngve proposed adding a $origin attribute to the cookie-string, but
this alters the syntax of the protocol, which is forbidden in phase

The discussion generated a bunch of good idea that we should revisit
in phase two.

== Specification Change ==

diff --git a/drafts/cookie.xml b/drafts/cookie.xml
index 5b1e393..7765b10 100644
--- a/drafts/cookie.xml
+++ b/drafts/cookie.xml
@@ -748,6 +748,22 @@ mystery         = <anything except a delimiter>
             domain-attribute, ignore the cookie entirely and abort these

+            <t>If the user agent is configured to use a "public suffix" list
+            and the domain-attribute is a public suffix, ignore the cookie
+            entirely and abort these steps.
+            <list style="empty">
+              <t>NOTE: A "public suffix" is a domain that is controlled by a
+              public registry, such as "com", "co.uk", and "pvt.k12.wy.us".
+              This step is essential for preventing attacker.com from
+              disrupting the integrity of example.com by setting a cookie with
+              a Domain attribute of "com". Unfortunately, the set of public
+              suffixes (also known as "registry controlled domains") changes
+              over time. If feasible, user agents SHOULD use an up-to-date
+              public suffix list, such as the one maintained by the Mozilla
+              project at http://publicsuffix.org/.</t>
+            </list>
+            </t>
             <t>Set the cookie's host-only-flag to false.</t>

             <t>Set the cookie's domain to the domain-attribute.</t>

I've pushed a new version of the draft that includes this change:


We can re-open the issue if someone presents material new information.