Re: [http-state] HTTP cookie processing wrt "public suffixes"

Zhong Yu <zhong.j.yu@gmail.com> Tue, 19 May 2015 16:36 UTC

Return-Path: <zhong.j.yu@gmail.com>
X-Original-To: http-state@ietfa.amsl.com
Delivered-To: http-state@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3484C1ACEED for <http-state@ietfa.amsl.com>; Tue, 19 May 2015 09:36:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.501
X-Spam-Level:
X-Spam-Status: No, score=-1.501 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, GB_I_LETTER=-2, J_CHICKENPOX_52=0.6, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mMsVmjvx-XS1 for <http-state@ietfa.amsl.com>; Tue, 19 May 2015 09:36:19 -0700 (PDT)
Received: from mail-ig0-x22d.google.com (mail-ig0-x22d.google.com [IPv6:2607:f8b0:4001:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A20B51B309D for <http-state@ietf.org>; Tue, 19 May 2015 09:35:32 -0700 (PDT)
Received: by igcau1 with SMTP id au1so18549908igc.1 for <http-state@ietf.org>; Tue, 19 May 2015 09:35:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=OeaMrsou5vTCSg1+5XUVoUe4oCycXTF9jojrPluSDpc=; b=JMqeU/UOG5vxl3M7bwNHMnaG4dY9y2fSJJBoCmBdnKAzR6QH12NPtPgaLKj3NigAch IAACFL8xrL3gE8NpDAC2P1WDoQ2BCcEUGnyc0gYrzXc+Ni92ZfKQcSGIdrJc6HsgOX/2 IDSzstZCcmzlfyhJrm2rxXBP/t7syVU5uF+RmQ5Lx7V3v+bgrOK3ma8QVIt6mUtxoN8/ L2slmEHH/CaQboT1HOjr/Xx9tQorogF278c22bsU4nQgo2tItkWshqtwUyTpBZs1OoVM JA8g6c9yUOOfUMNMdbwKky8ZK7vlqTPs9X382McvI7GeQFrWVnRTXqkUwHBkixaV3vdN oK1Q==
MIME-Version: 1.0
X-Received: by 10.50.112.73 with SMTP id io9mr22904000igb.18.1432053331990; Tue, 19 May 2015 09:35:31 -0700 (PDT)
Received: by 10.64.103.106 with HTTP; Tue, 19 May 2015 09:35:31 -0700 (PDT)
In-Reply-To: <555B095F.7050206@mozilla.org>
References: <CACuKZqGu9vFnQMtkpbG=g3iK6XHKAeOsnsaBxkXYJVqxvzbRRg@mail.gmail.com> <555B095F.7050206@mozilla.org>
Date: Tue, 19 May 2015 11:35:31 -0500
Message-ID: <CACuKZqE1yr-5e2GeodeBfD+Azq9xN9PL5KyNTVnhKMSL19SmLg@mail.gmail.com>
From: Zhong Yu <zhong.j.yu@gmail.com>
To: Gervase Markham <gerv@mozilla.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/http-state/snKwIBiMlxS_rj9HlnPqjBulLUM>
Cc: team@publicsuffix.org, http-state <http-state@ietf.org>
Subject: Re: [http-state] HTTP cookie processing wrt "public suffixes"
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state/>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 May 2015 16:36:24 -0000

Thanks Gerv, but we are talking about different things. In this
discussion, there is no dispute that "amazonaws.com" is-not a public
suffix, and "computer.amazonaws.com" is.

The question is, whether "foo.computer.amazonaws.com" can set a cookie
with domain "amazonaws.com". Obvious it should not be able to. And all
major browsers will deny it.

However, the letter of RFC6265 would have permitted it, because the
cookie domain "amazonaws.com" is not a public suffix.

There are two ways to address this problem:

1. fix RFC
2. fix PSL so that a parent of a public suffix is implicitly a public
suffix. (this is a little different from the discussion of "*" rules)

I think (2) is pretty reasonable. Domain names are cheap, a company
should just get a new domain for public suffix, instead of use a
subdomain.

Zhong Yu
bayou.io



On Tue, May 19, 2015 at 4:58 AM, Gervase Markham <gerv@mozilla.org> wrote:
> On 18/05/15 15:44, Zhong Yu wrote:
>> There is a complication that is neither addressed in the RFC nor in
>> Jeff's document:
>>
>>    - it's possible that the parent of a public suffix is not a public
>> suffix itself.
>
> See https://bugzilla.mozilla.org/show_bug.cgi?id=1139842 for the
> discussion of the PSL team on how to deal with the current ambiguous
> situation in the PSL.
>
> Gerv