Re: [http-state] Ticket 6: host-only cookies

[Adam Barth <ietf@adambarth.com>]

On Fri, Jan 22, 2010 at 11:09 AM, Dan Winship <dan.winship@gmail.com> wrote:
> On 01/22/2010 12:49 PM, Adam Barth wrote:
>> In this case, we see that every non-IE user agent has decided to
>> support host-only cookies.  Given the collective market share of these
>> user agents, that's strong evidence that the behavior is sufficiently
>> interoperable with existing servers.
>
> In this case the problem isn't whether the client behavior is
> interoperable with servers, it's whether the server behavior (of
> expecting host-only cookies to actually be treated as host-only) is
> interoperable with clients. And more than 50% of the time, it's not.
>
>> Also, there is a large security
>> benefit to implementing host-only cookies.
>
> But there's a large security FAIL for servers if their security model
> assumes that clients will implement host-only cookies, and then it turns
> out that some clients don't. And since we already know that some
> (/many/most) clients don't, sites that want to be secure have to find
> some other way to protect themselves and their users that doesn't depend
> on having working host-only cookies. (Because, as recently demonstrated,
> hackers can do plenty of damage even if they can only hack IE users. :)

Indeed.  I think you're arguing that we should warn servers about IE's
behavior in the specification directly instead of referring to a
second document.  I'd be inclined to note this behavior where we
explain host-only cookies and again in the security consideration
section.  Those should be the two most common places folks will look
for this kind of information.

Adam