Re: [http-state] Ticket 6: host-only cookies

Dan Winship <> Fri, 22 January 2010 14:37 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5C47D3A67DB for <>; Fri, 22 Jan 2010 06:37:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.265
X-Spam-Status: No, score=-2.265 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Nf-FLdaJw5ya for <>; Fri, 22 Jan 2010 06:37:49 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 8B8AA3A67BD for <>; Fri, 22 Jan 2010 06:37:49 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTPA id ADB38802AE; Fri, 22 Jan 2010 09:37:43 -0500 (EST)
Message-ID: <>
Date: Fri, 22 Jan 2010 09:37:40 -0500
From: Dan Winship <>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv: Gecko/20091209 Fedora/3.0-4.fc12 Thunderbird/3.0
MIME-Version: 1.0
To: Adam Barth <>
References: <>
In-Reply-To: <>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: http-state <>
Subject: Re: [http-state] Ticket 6: host-only cookies
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 22 Jan 2010 14:37:50 -0000

On 01/22/2010 03:50 AM, Adam Barth wrote:
> 1) Specify host-only cookies to match Firefox, Chrome, Safari, and
> Opera.  This is best for security, and I think there's a good chance
> that IE will adopt host-only cookies in future, but I don't have any
> citable evidence for this belief.  (The draft currently matches this
> proposal.)

The other argument in favor of this is that the host-only cookie rule
was part of the original Netscape spec, so this isn't just a case of
unspecified behavior where some browsers do one thing and others do
another, or of clients being-liberal-in-what-they-accept to work around
server problems. IE is just doing it wrong.

> 3) Allow both behaviors.  This alternative is the worst for security
> because it makes the cookie protocol less predictable.  When all the
> other browsers agree on a behavior that's better than the IE behavior,
> I think we can require the non-IE behavior.

Well... allowing both behaviors doesn't *make* the protocol less
predictable, because the protocol already *is* less predictable, and
will continue to be for several years at least, regardless of what we
say. So we should document the unpredictability, so that server authors
will know that they have to take steps to protect themselves against
unintended cookie leakage in some cases.

So my vote is, require clients to implement host-only cookies (as the
Netscape spec did), but note in the corresponding server-side section
that some clients don't do this, with some discussion of the security

-- Dan