IETF Logo Mail Archive

[http-state] Origin cookies

Adam Barth <ietf@adambarth.com> Sun, 06 March 2011 01:47 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 738CB28C0E8 for <http-state@core3.amsl.com>; Sat, 5 Mar 2011 17:47:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.802
X-Spam-Level:
X-Spam-Status: No, score=-2.802 tagged_above=-999 required=5 tests=[AWL=0.175, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wsw2VP4AsEZG for <http-state@core3.amsl.com>; Sat, 5 Mar 2011 17:47:04 -0800 (PST)
Received: from mail-yi0-f44.google.com (mail-yi0-f44.google.com [209.85.218.44]) by core3.amsl.com (Postfix) with ESMTP id 40DE23A6AA1 for <http-state@ietf.org>; Sat, 5 Mar 2011 17:47:04 -0800 (PST)
Received: by yic13 with SMTP id 13so1506458yic.31 for <http-state@ietf.org>; Sat, 05 Mar 2011 17:48:15 -0800 (PST)
Received: by 10.150.113.6 with SMTP id l6mr2606430ybc.436.1299376093497; Sat, 05 Mar 2011 17:48:13 -0800 (PST)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by mx.google.com with ESMTPS id r18sm751734yba.11.2011.03.05.17.48.12 (version=SSLv3 cipher=OTHER); Sat, 05 Mar 2011 17:48:12 -0800 (PST)
Received: by iwl42 with SMTP id 42so3567901iwl.31 for <http-state@ietf.org>; Sat, 05 Mar 2011 17:48:11 -0800 (PST)
Received: by 10.43.60.204 with SMTP id wt12mr2868903icb.227.1299376091414; Sat, 05 Mar 2011 17:48:11 -0800 (PST)
MIME-Version: 1.0
Received: by 10.231.40.7 with HTTP; Sat, 5 Mar 2011 17:46:54 -0800 (PST)
From: Adam Barth <ietf@adambarth.com>
Date: Sat, 05 Mar 2011 17:46:54 -0800
Message-ID: <AANLkTikTWEyOrUCZo3CbZeN61eqXEZ2JYeELV=R+paye@mail.gmail.com>
To: http-state <http-state@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"
Subject: [http-state] Origin cookies
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 06 Mar 2011 01:47:05 -0000

Hi http-state,

Now that we're done with phase 1, I've updated my phase 2 proposal:

http://www.ietf.org/id/draft-abarth-cake-01.txt

There's a bunch of boilerplate (and missing sections) in that
document.  The main idea is to provide a new cookie attribute that
lets server harmonize the security policy of their cookies with the
same-origin policy.  Harmonizing the two policies has a number of
general security benefits because security vulnerabilities often arise
when there's an impedance mismatch between security policies.
Specifically, origin cookies mitigate an important security hole in
cookies by preventing active network attackers from setting cookies
that overwrite the session identifies used by HTTPS web sites, e.g. as
described in Section 8.6 of draft-ietf-httpstate-cookie.

Let me know if you have any feedback.

Thanks!
Adam


----8<----

Abstract

   This document defines the Origin attribute for cookies, which lets
   servers harmonize the security policy of their cookies with the
   widely used same-origin policy.  Origin cookies provide both
   confidentiality and integrity, unlike the Secure attribute, which
   provides only confidentiality.


3.  Overview

   Using the Origin attribute, a server can set a cookie for its origin.
   Unlike the Path, Domain, and Secure attributes, the Origin attribute
   harmonizes the security properties of the cookie with the same-origin
   policy [cite: Principles of Origin].  In particular, the Origin
   attribute provides both confidentiality and integrity from other
   origins.

   The Origin attribute superceeds the Path, Domain, and Secure
   attributes.  The server can set these attributes as well to control
   the scope of cookies in legacy user agents.  User agents that support
   origin cookies will ignore these attributes when the Origin attribute
   is present.

   Origin cookies are returned from the user agent to the server in the
   Origin-Cookie header field and not the Cookie header field because
   the Cookie header field does not provide any information about the
   source of the cookie.  When the server receives a cookie in the
   Origin-Cookie header field, the server can reason that the cookie was
   set by its own origin, and not injected by another origin.

3.1.  Examples

   The server can set an origin cookie, which is returned in the Origin-
   Cookie header field.  Origin cookies support all the same attributes
   as other kinds of cookies, except Path, Domain, and Secure, which are
   ignored.

   == Server -> User Agent ==

   Set-Cookie: SID=31d4d96e407aad42; Origin

   == User Agent -> Server ==

   Origin-Cookie: SID=31d4d96e407aad42

   Non-origin cookies are returned in the Cookie header as usual.  If
   the user agent sends the server both origin and non-origin cookies,
   the origin cookies are returned in the Origin-Cookie header field and
   the non-origin cookies are returned in the Origin-Cookie header
   field.

   == Server -> User Agent ==

   Set-Cookie: SID=31d4d96e407aad42; Origin
   Set-Cookie: lang=en-US; Path=/; Domain=example.com

   == User Agent -> Server ==

   Cookie: lang=en-US
   Origin-Cookie: SID=31d4d96e407aad42

---->8----

v2.23.0 | Report a Bug | By Email