[http-state] Browser Behaviors on Cookie Domain and Public Suffix
Zhong Yu <zhong.j.yu@gmail.com> Mon, 25 May 2015 01:42 UTC
Return-Path: <zhong.j.yu@gmail.com>
X-Original-To: http-state@ietfa.amsl.com
Delivered-To: http-state@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86EEE1A8915 for <http-state@ietfa.amsl.com>; Sun, 24 May 2015 18:42:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.301
X-Spam-Level: *
X-Spam-Status: No, score=1.301 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_52=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1yUmjY22ES7M for <http-state@ietfa.amsl.com>; Sun, 24 May 2015 18:42:27 -0700 (PDT)
Received: from mail-ig0-x22d.google.com (mail-ig0-x22d.google.com [IPv6:2607:f8b0:4001:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 49F8D1A88A4 for <http-state@ietf.org>; Sun, 24 May 2015 18:42:27 -0700 (PDT)
Received: by igbsb11 with SMTP id sb11so24552493igb.0 for <http-state@ietf.org>; Sun, 24 May 2015 18:42:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=EREfKgQ7K9Oz0zlxNJWoREVzTQgSUBDUwWB+Efzgsfo=; b=R2rL2+6Nt8B2du8bMv0MPPDSZWXDqdbffCZPAA+rzjxGNoGJKTM+lwvdG3hSpp9b6v tSODtENsZw85YLyw8NFV+AdvQMSLMUBcuDqxnxx0hf8aPcPF1tJTR89RjznVNVo2rrge K5FJJdr0Eq9i1WKfPceu/gkxCL7fsPqoCMa/hWs24gkO3LtCuEbW+i6OzPH5pujb0cAv aqAiYvwTX0dSdJh32FicaBvXebLXH7VD4It9mzdvjpQTXVXO2Wfjf/wlhM4b49z5oAiM FVtcU78/fYAQyQhpJ2NnhSyhN492dr37AiVIXde+zzzX9J1jSC2vO2bUYFhrFBx/u0QO uxww==
MIME-Version: 1.0
X-Received: by 10.43.152.204 with SMTP id kx12mr21286043icc.51.1432518146545; Sun, 24 May 2015 18:42:26 -0700 (PDT)
Received: by 10.64.98.33 with HTTP; Sun, 24 May 2015 18:42:26 -0700 (PDT)
Date: Sun, 24 May 2015 20:42:26 -0500
Message-ID: <CACuKZqF_i9vSBeX54n9QV4tJhOgqiUjBWL4oVfv66WjXsWihUg@mail.gmail.com>
From: Zhong Yu <zhong.j.yu@gmail.com>
To: http-state <http-state@ietf.org>
Content-Type: multipart/alternative; boundary="001a11c2ce72425fb10516de1fea"
Archived-At: <http://mailarchive.ietf.org/arch/msg/http-state/TPAIg769WRpZsQVkKOCFpQNqFmE>
Subject: [http-state] Browser Behaviors on Cookie Domain and Public Suffix
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state/>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 May 2015 01:42:29 -0000
This is a survey of how browsers handle cookie domains with regard to public suffixs. 5 major browsers are tested: Chrome/Opera, IE, Firefox, Safari; latest versions on Windows 7. Note that Opera behaves exactly like Chrome in all tests, so it won't be mentioned again. ------------ First, some references: rfc6265#5.3 If ... the [cookie] domain-attribute is a public suffix ... ignore the cookie entirely publicsuffix.org A "public suffix" is one under which Internet users can (or historically could) directly register names. The list of public suffixes: https://publicsuffix.org/list/public_suffix_list.dat ------------ >From these specs, there's an obvious complication - what if a public suffix has a parent that's not a public suffix? As an example, <compute.amazonaws.com> is a public suffix, but < amazonaws.com> is not. # Firefox/Chrome: <s1.amazonaws.com> can set a cookie for <amazonaws.com>; the cookie is applicable to <amazonaws.com>, <s2.amazonaws.com>, etc, but not to <compute.amazonaws.com> and its child domains. # Safari: nobody can set a cookie for <amazonaws.com>; the domain is probably treated as a public suffix. # IE: IE apparently doesn't recognize <compute.amazonaws.com> as a public suffix; it's treated as a normal domain. IE doesn't even recognize Microsoft's own public suffixes like <azurewebsites.net>. I'm unable to find domains to conduct this particular teston IE. ------------ One one hand, Firefox/Chrome conforms to rfc6265#5.3 by accepting cookie domain <amazonaws.com> which is not a public suffix; on the other hand, Firefox/Chrome must violate rfc6265#5.4 so that the cookie is not delivered to public suffix <compute.amazonaws.com> and its child domains. The behavior of Firefox/Chrome is reasonable and defensible, but it's quite complicated, and the benefit is dubious: - only a few companies could benefit from it; - they probably do not need to share client state among sites like <s1/ s2.amazonaws.com> - if they do need to share client state, they have enough resources to accomplish it through other methods - they cannot reliably share client state through cookie domain anyway, because of Safari. - Firefox/Chrome fails to demonstrate the same behavior when wildcard rules are involved, see below. ------------ Wildcards The public suffix list contains wildcard rules like <*.nom.br>. It means that any <foo.nom.br> is a public suffix, but <nom.br> is not ( the public cannot directly register names under <nom.br> ). Semantically we would expect that the wildcard rule is equivalent to the expansion of all child domains - <a.nom.br>, <aa.nom.br> .... And we would expect that a browser handles <foo.nom.br>/<nom.br> the same way it handles <compute.amazonaws.com>/<amazonaws.com>. Unfortunately that's not the case. # Firefox/Chrome/Safari: both <foo.nom.br> and <nom.br> are treated as public suffixes; nobody can set a cookie for <nom.br> # IE: IE apparently misunderstands wildcard rules; <nom.br> is treated as public suffix, but <foo.nom.br> is treated as not - <s1.foo.nom.br> can set a cookie for <foo.nom.br> that's applicable to <s2.foo.nom.br> ------------ TLDs All TLDs are treated by all browsers as public suffixes w.r.t. cookie domain, with 1 exception. The following TLDs are tested: com jobs bd il test example invalid local localhost arpa faketld The only exception is <localhost> on Safari - <s1.localhost> can set a cookie domain <localhost> that's applicable to <s2.localhost> Note that <bd> and <il> are not public suffixes per se - they appear in the public suffix list only as <*.bd> and <*.il>. ------------ Another detail in rfc6265#5.3 - if both cookie domain and request host are the same public suffix, accept the cookie, but ignore the cookie domain. Firefox is the only browser that implements it - if a public suffix site <foo> sets a cookie with domain <foo>, the cookie is accepted with domain erased; the cookie is applicable to only <foo>, not to any other sites. "foo" could be "test/faketld/com/uk/co.uk/foo.nom.br/compute.amazonaws.com" etc. On other browsers, such a cookie is simply discarded, if its domain is considered a public suffix. The benefit of this feature of rfc/firefox is dubious - this feature intends to tolerate a programming mistake that sets a cookie domain where it shouldn't. we do not need to exercise such tolerance on public suffix operators. - it's unlikely that any operator of a public suffix needs this feature - this feature cannot be relied upon anyway, since only Firefox does it. -------------- Zhong Yu bayou.io