[http-state] Setting cookies for sibling domains (was Re: Security considerations overview)
Adam Barth <ietf@adambarth.com> Wed, 03 March 2010 23:41 UTC
Return-Path: <abarth@gmail.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4977128C4A3 for <http-state@core3.amsl.com>; Wed, 3 Mar 2010 15:41:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yhEPOKx4jwx1 for <http-state@core3.amsl.com>; Wed, 3 Mar 2010 15:41:08 -0800 (PST)
Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by core3.amsl.com (Postfix) with ESMTP id 6779828C497 for <http-state@ietf.org>; Wed, 3 Mar 2010 15:41:08 -0800 (PST)
Received: by gyc15 with SMTP id 15so1066768gyc.31 for <http-state@ietf.org>; Wed, 03 Mar 2010 15:41:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=uVMThaTXMsnrmttfRAJ6oLn6K/NjnJhUR5IUIAuv6QU=; b=HgkAlDInwaGH3UgD5tTPW9oItGLoVXNp6jSllgiLN065ct19TwBW1Tdf3RHLJqXS1L /d33tDUn2Dbw4PFY/Aj7MDdJMDCB6GgJrUwpuD/z9IaSjni5e9L9MXH6ClBynWEKRJGB zAvMPul2MbEZj8hb60D8DZ/gPXj9YU5v21G30=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:from:date:x-google-sender-auth:message-id :subject:to:cc:content-type:content-transfer-encoding; b=uRlrMMfknBa8oRnyzAPV3ZyBYE8DnTFYLOZHAlvzlislFON0z+04ERaGC5Fcu2uu+7 Vd4mevH5DpIb15rCi8hWVMg2kxmEGbaGgfFBs+AQKq8NID99soJ2wYZY6u9nxH6ZMgx2 BFBULPba3EQCO3WUVQ8Z/16NyqwDgfPUrnES4=
MIME-Version: 1.0
Sender: abarth@gmail.com
Received: by 10.150.119.17 with SMTP id r17mr1699038ybc.9.1267659667272; Wed, 03 Mar 2010 15:41:07 -0800 (PST)
From: Adam Barth <ietf@adambarth.com>
Date: Wed, 03 Mar 2010 15:40:47 -0800
X-Google-Sender-Auth: 0d638a8fd2b23af7
Message-ID: <5c4444771003031540j3d1092dbx2dfa2dc4d455dfe8@mail.gmail.com>
To: Mark Pauley <mpauley@apple.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: http-state <http-state@ietf.org>
Subject: [http-state] Setting cookies for sibling domains (was Re: Security considerations overview)
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Mar 2010 23:42:03 -0000
On Wed, Mar 3, 2010 at 3:38 PM, Mark Pauley <mpauley@apple.com> wrote: > It would appear that this is covered by 4.1.2.2 > > We (and many other browsers) do allow setting a cookie with domain .bar.example.com from .foo.example. Oh, I thought I tested that case. Give me a few minutes to write a test case for this behavior. > Indeed, some web applications rely on this behavior. The compromise is that we'll allow .foo.example.com to set a cookie for .bar.example.com if and only if .example.com is not a Top Level (or registry controlled) Domain. I find that surprising, but that's why we have tests. :) Adam > On Mar 3, 2010, at 3:32 PM, Mark Pauley wrote: > >> Excuse my ignorance, I've just recently joined this list. >> >> Is this the correct forum to enquire about what we refer to as the 'Cross Site Acceptance Policy'? We (Safari / CFNetwork) by default refuse to set cookies from hosts from a domain tree outside of the current Top Level Domain tree. That is from a host with name x1.x2.x3...x_k we'll set a cookie with domain .y1.y2.y3...y_m if and only if y_m == x_k, y_m-1 == x_k-1, etc to y_m-n == x_k-n and y1....y_m-n is not a top level domain. >> >> That is, if the domain is at least a cousin; the target domain shares a common ancestor with the origin domain which is not a Top Level Domain. >> >> We've worked out that this is probably the most restrictive definition that will work given a good enough description of what a Top Level Domain is (which we have thanks to the Mozilla Top Level Domain list project). >> >> >> _______________________________________________ >> http-state mailing list >> http-state@ietf.org >> https://www.ietf.org/mailman/listinfo/http-state > > _______________________________________________ > http-state mailing list > http-state@ietf.org > https://www.ietf.org/mailman/listinfo/http-state >