Re: [http-state] HTTP cookie processing wrt "public suffixes"

Zhong Yu <zhong.j.yu@gmail.com> Thu, 21 May 2015 23:30 UTC

Return-Path: <zhong.j.yu@gmail.com>
X-Original-To: http-state@ietfa.amsl.com
Delivered-To: http-state@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7868F1A90DC for <http-state@ietfa.amsl.com>; Thu, 21 May 2015 16:30:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.499
X-Spam-Level:
X-Spam-Status: No, score=0.499 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_CHICKENPOX_52=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vbcqepq6Pek9 for <http-state@ietfa.amsl.com>; Thu, 21 May 2015 16:30:25 -0700 (PDT)
Received: from mail-ig0-x230.google.com (mail-ig0-x230.google.com [IPv6:2607:f8b0:4001:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8DEEC1A88F0 for <http-state@ietf.org>; Thu, 21 May 2015 16:30:18 -0700 (PDT)
Received: by igbsb11 with SMTP id sb11so20947001igb.0 for <http-state@ietf.org>; Thu, 21 May 2015 16:30:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=pDHerF35qDuFu9rSGXNdY75f+GAES7aLtA8lZWlXH8c=; b=pvyiMtjCy1NYSbx6at2ek7qy1g1wS3/sQouBI++yk7VGPIecPDsY7PqkTH3VtZ+3qS Ecu5+qUWKKCiAsXwuVlN1U4/34twURSD8MPu8HfGKRI/1LY4U0pfSI9Ap6c4mbGDLYbN U6uMrXp7ABvVWoggqfHnRqbYMFJWPd0DjFRY5NEG5d4wdlWpqgh/YNCbxuSUDTCTkkTe KK3EEH9xzborDcGOXa1KtJLwCPOKhqRCZS9yFH0k08LHeIhmYAZl9N9QDTSIJ0LAVC19 67rXhqYY5odV1FDD/O/EQEcbNWuABNOYMa1OBZtoDxWXnLlurUvYBaDDBtpNct4T3zai WFxg==
MIME-Version: 1.0
X-Received: by 10.107.128.30 with SMTP id b30mr6702933iod.84.1432251018037; Thu, 21 May 2015 16:30:18 -0700 (PDT)
Received: by 10.64.103.106 with HTTP; Thu, 21 May 2015 16:30:17 -0700 (PDT)
In-Reply-To: <CACuKZqGu9vFnQMtkpbG=g3iK6XHKAeOsnsaBxkXYJVqxvzbRRg@mail.gmail.com>
References: <CACuKZqGu9vFnQMtkpbG=g3iK6XHKAeOsnsaBxkXYJVqxvzbRRg@mail.gmail.com>
Date: Thu, 21 May 2015 18:30:17 -0500
Message-ID: <CACuKZqF2CiEhAAemtxLUCEfHG0ADXe3dA1Dm1ZXWBMc3znkO3A@mail.gmail.com>
From: Zhong Yu <zhong.j.yu@gmail.com>
To: http-state <http-state@ietf.org>, team@publicsuffix.org
Content-Type: text/plain; charset=UTF-8
Archived-At: <http://mailarchive.ietf.org/arch/msg/http-state/izsk0iQLZqRCFoVUpCF3Eerigzo>
Subject: Re: [http-state] HTTP cookie processing wrt "public suffixes"
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state/>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 May 2015 23:30:26 -0000

After more thoughts on the matter, it seems not uncommon that a parent
of a public suffix is not a public suffix. Besides the domains listed
in my previous email, all "*" rules in PSL imply a public suffix with
a non-public-suffix parent. For example, rule "*.bd" means that any
"foo.bd" is a public suffix, but the parent, "bd", is not a public
suffix (because the public cannot directly register child domains of
"bd")

With this clarified, we'll have to fix RFC6265. Currently it allows
"bar.foo.bd" to set a cookie for domain "bd". That is incorrect; and
it is not how browsers behave. I'll see if I can find a simple
algorithm to address the problem.

Zhong Yu
bayou.io