Re: [http-state] Ticket 6: host-only cookies
Dan Winship <dan.winship@gmail.com> Fri, 22 January 2010 14:37 UTC
Return-Path: <dan.winship@gmail.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5C47D3A67DB for <http-state@core3.amsl.com>; Fri, 22 Jan 2010 06:37:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.265
X-Spam-Level:
X-Spam-Status: No, score=-2.265 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nf-FLdaJw5ya for <http-state@core3.amsl.com>; Fri, 22 Jan 2010 06:37:49 -0800 (PST)
Received: from mysterion.org (mysterion.org [69.25.196.35]) by core3.amsl.com (Postfix) with ESMTP id 8B8AA3A67BD for <http-state@ietf.org>; Fri, 22 Jan 2010 06:37:49 -0800 (PST)
Received: from desktop.home.mysterion.org (c-76-97-71-164.hsd1.ga.comcast.net [76.97.71.164]) by mysterion.org (Postfix) with ESMTPA id ADB38802AE; Fri, 22 Jan 2010 09:37:43 -0500 (EST)
Message-ID: <4B59B834.3030500@gmail.com>
Date: Fri, 22 Jan 2010 09:37:40 -0500
From: Dan Winship <dan.winship@gmail.com>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.5) Gecko/20091209 Fedora/3.0-4.fc12 Thunderbird/3.0
MIME-Version: 1.0
To: Adam Barth <ietf@adambarth.com>
References: <7789133a1001220050m56cc438x35099b7972639331@mail.gmail.com>
In-Reply-To: <7789133a1001220050m56cc438x35099b7972639331@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: http-state <http-state@ietf.org>
Subject: Re: [http-state] Ticket 6: host-only cookies
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jan 2010 14:37:50 -0000
On 01/22/2010 03:50 AM, Adam Barth wrote: > 1) Specify host-only cookies to match Firefox, Chrome, Safari, and > Opera. This is best for security, and I think there's a good chance > that IE will adopt host-only cookies in future, but I don't have any > citable evidence for this belief. (The draft currently matches this > proposal.) The other argument in favor of this is that the host-only cookie rule was part of the original Netscape spec, so this isn't just a case of unspecified behavior where some browsers do one thing and others do another, or of clients being-liberal-in-what-they-accept to work around server problems. IE is just doing it wrong. > 3) Allow both behaviors. This alternative is the worst for security > because it makes the cookie protocol less predictable. When all the > other browsers agree on a behavior that's better than the IE behavior, > I think we can require the non-IE behavior. Well... allowing both behaviors doesn't *make* the protocol less predictable, because the protocol already *is* less predictable, and will continue to be for several years at least, regardless of what we say. So we should document the unpredictability, so that server authors will know that they have to take steps to protect themselves against unintended cookie leakage in some cases. So my vote is, require clients to implement host-only cookies (as the Netscape spec did), but note in the corresponding server-side section that some clients don't do this, with some discussion of the security issues. -- Dan
- [http-state] Ticket 6: host-only cookies Adam Barth
- Re: [http-state] Ticket 6: host-only cookies Daniel Stenberg
- Re: [http-state] Ticket 6: host-only cookies Dan Winship
- Re: [http-state] Ticket 6: host-only cookies Adam Barth
- Re: [http-state] Ticket 6: host-only cookies Adam Barth
- Re: [http-state] Ticket 6: host-only cookies Dan Winship
- Re: [http-state] Ticket 6: host-only cookies Adam Barth
- Re: [http-state] Ticket 6: host-only cookies Maciej Stachowiak
- Re: [http-state] Ticket 6: host-only cookies Roy T. Fielding
- Re: [http-state] Ticket 6: host-only cookies Adam Barth
- Re: [http-state] Ticket 6: host-only cookies Roy T. Fielding
- Re: [http-state] Ticket 6: host-only cookies Adam Barth
- Re: [http-state] Ticket 6: host-only cookies Bil Corry
- Re: [http-state] Ticket 6: host-only cookies Adam Barth
- Re: [http-state] Ticket 6: host-only cookies Eran Hammer-Lahav
- Re: [http-state] Ticket 6: host-only cookies Julian Reschke
- Re: [http-state] Ticket 6: host-only cookies Bil Corry
- Re: [http-state] Ticket 6: host-only cookies Adam Barth
- Re: [http-state] Ticket 6: host-only cookies Julian Reschke
- Re: [http-state] Ticket 6: host-only cookies Dan Winship
- Re: [http-state] Ticket 6: host-only cookies Lisa Dusseault
- Re: [http-state] Ticket 6: host-only cookies Blake Frantz
- Re: [http-state] Ticket 6: host-only cookies Adam Barth
- Re: [http-state] Ticket 6: host-only cookies Bil Corry
- Re: [http-state] Ticket 6: host-only cookies Adam Barth
- Re: [http-state] Ticket 6: host-only cookies Dave Kristol
- Re: [http-state] Ticket 6: host-only cookies Adam Barth
- Re: [http-state] Ticket 6: host-only cookies Dave Kristol
- Re: [http-state] Ticket 6: host-only cookies Adam Barth
- Re: [http-state] Ticket 6: host-only cookies Bil Corry
- Re: [http-state] Ticket 6: host-only cookies Mark Pauley