[http-state] Origin cookies
Adam Barth <ietf@adambarth.com> Sun, 06 March 2011 01:47 UTC
Return-Path: <ietf@adambarth.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 738CB28C0E8 for <http-state@core3.amsl.com>; Sat, 5 Mar 2011 17:47:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.802
X-Spam-Level:
X-Spam-Status: No, score=-2.802 tagged_above=-999 required=5 tests=[AWL=0.175, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wsw2VP4AsEZG for <http-state@core3.amsl.com>; Sat, 5 Mar 2011 17:47:04 -0800 (PST)
Received: from mail-yi0-f44.google.com (mail-yi0-f44.google.com [209.85.218.44]) by core3.amsl.com (Postfix) with ESMTP id 40DE23A6AA1 for <http-state@ietf.org>; Sat, 5 Mar 2011 17:47:04 -0800 (PST)
Received: by yic13 with SMTP id 13so1506458yic.31 for <http-state@ietf.org>; Sat, 05 Mar 2011 17:48:15 -0800 (PST)
Received: by 10.150.113.6 with SMTP id l6mr2606430ybc.436.1299376093497; Sat, 05 Mar 2011 17:48:13 -0800 (PST)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by mx.google.com with ESMTPS id r18sm751734yba.11.2011.03.05.17.48.12 (version=SSLv3 cipher=OTHER); Sat, 05 Mar 2011 17:48:12 -0800 (PST)
Received: by iwl42 with SMTP id 42so3567901iwl.31 for <http-state@ietf.org>; Sat, 05 Mar 2011 17:48:11 -0800 (PST)
Received: by 10.43.60.204 with SMTP id wt12mr2868903icb.227.1299376091414; Sat, 05 Mar 2011 17:48:11 -0800 (PST)
MIME-Version: 1.0
Received: by 10.231.40.7 with HTTP; Sat, 5 Mar 2011 17:46:54 -0800 (PST)
From: Adam Barth <ietf@adambarth.com>
Date: Sat, 05 Mar 2011 17:46:54 -0800
Message-ID: <AANLkTikTWEyOrUCZo3CbZeN61eqXEZ2JYeELV=R+paye@mail.gmail.com>
To: http-state <http-state@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"
Subject: [http-state] Origin cookies
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 06 Mar 2011 01:47:05 -0000
Hi http-state, Now that we're done with phase 1, I've updated my phase 2 proposal: http://www.ietf.org/id/draft-abarth-cake-01.txt There's a bunch of boilerplate (and missing sections) in that document. The main idea is to provide a new cookie attribute that lets server harmonize the security policy of their cookies with the same-origin policy. Harmonizing the two policies has a number of general security benefits because security vulnerabilities often arise when there's an impedance mismatch between security policies. Specifically, origin cookies mitigate an important security hole in cookies by preventing active network attackers from setting cookies that overwrite the session identifies used by HTTPS web sites, e.g. as described in Section 8.6 of draft-ietf-httpstate-cookie. Let me know if you have any feedback. Thanks! Adam ----8<---- Abstract This document defines the Origin attribute for cookies, which lets servers harmonize the security policy of their cookies with the widely used same-origin policy. Origin cookies provide both confidentiality and integrity, unlike the Secure attribute, which provides only confidentiality. 3. Overview Using the Origin attribute, a server can set a cookie for its origin. Unlike the Path, Domain, and Secure attributes, the Origin attribute harmonizes the security properties of the cookie with the same-origin policy [cite: Principles of Origin]. In particular, the Origin attribute provides both confidentiality and integrity from other origins. The Origin attribute superceeds the Path, Domain, and Secure attributes. The server can set these attributes as well to control the scope of cookies in legacy user agents. User agents that support origin cookies will ignore these attributes when the Origin attribute is present. Origin cookies are returned from the user agent to the server in the Origin-Cookie header field and not the Cookie header field because the Cookie header field does not provide any information about the source of the cookie. When the server receives a cookie in the Origin-Cookie header field, the server can reason that the cookie was set by its own origin, and not injected by another origin. 3.1. Examples The server can set an origin cookie, which is returned in the Origin- Cookie header field. Origin cookies support all the same attributes as other kinds of cookies, except Path, Domain, and Secure, which are ignored. == Server -> User Agent == Set-Cookie: SID=31d4d96e407aad42; Origin == User Agent -> Server == Origin-Cookie: SID=31d4d96e407aad42 Non-origin cookies are returned in the Cookie header as usual. If the user agent sends the server both origin and non-origin cookies, the origin cookies are returned in the Origin-Cookie header field and the non-origin cookies are returned in the Origin-Cookie header field. == Server -> User Agent == Set-Cookie: SID=31d4d96e407aad42; Origin Set-Cookie: lang=en-US; Path=/; Domain=example.com == User Agent -> Server == Cookie: lang=en-US Origin-Cookie: SID=31d4d96e407aad42 ---->8----
- [http-state] Origin cookies Adam Barth
- Re: [http-state] Origin cookies Remy Lebeau
- Re: [http-state] Origin cookies Adam Barth
- Re: [http-state] Origin cookies tho
- Re: [http-state] Origin cookies Adam Barth
- Re: [http-state] Origin cookies tho
- Re: [http-state] Origin cookies Adam Barth
- Re: [http-state] Origin cookies tho
- Re: [http-state] Origin cookies Adam Barth
- Re: [http-state] Origin cookies tho