Re: [http-state] Origin cookies and backwards compatibility
Adam Barth <ietf@adambarth.com> Thu, 07 April 2011 07:29 UTC
Return-Path: <ietf@adambarth.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C33173A6814 for <http-state@core3.amsl.com>; Thu, 7 Apr 2011 00:29:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.809
X-Spam-Level:
X-Spam-Status: No, score=-2.809 tagged_above=-999 required=5 tests=[AWL=0.168, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7fZ3zjZYgE3f for <http-state@core3.amsl.com>; Thu, 7 Apr 2011 00:29:45 -0700 (PDT)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by core3.amsl.com (Postfix) with ESMTP id EE39D3A67F3 for <http-state@ietf.org>; Thu, 7 Apr 2011 00:29:44 -0700 (PDT)
Received: by iye19 with SMTP id 19so2720516iye.31 for <http-state@ietf.org>; Thu, 07 Apr 2011 00:31:29 -0700 (PDT)
Received: by 10.42.115.74 with SMTP id j10mr11356icq.275.1302161489367; Thu, 07 Apr 2011 00:31:29 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by mx.google.com with ESMTPS id d9sm965408ibb.36.2011.04.07.00.31.28 (version=SSLv3 cipher=OTHER); Thu, 07 Apr 2011 00:31:28 -0700 (PDT)
Received: by iwn39 with SMTP id 39so2731070iwn.31 for <http-state@ietf.org>; Thu, 07 Apr 2011 00:31:28 -0700 (PDT)
Received: by 10.42.56.75 with SMTP id y11mr842016icg.295.1302161488083; Thu, 07 Apr 2011 00:31:28 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.42.227.69 with HTTP; Thu, 7 Apr 2011 00:30:58 -0700 (PDT)
In-Reply-To: <alpine.DEB.2.02.1104070233430.4468@dr-wily.mit.edu>
References: <alpine.DEB.2.02.1104070233430.4468@dr-wily.mit.edu>
From: Adam Barth <ietf@adambarth.com>
Date: Thu, 07 Apr 2011 00:30:58 -0700
Message-ID: <BANLkTimhkQsoGrrgLKH3kju33GeWrz8j0g@mail.gmail.com>
To: Anders Kaseorg <andersk@mit.edu>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Cc: http-state@ietf.org
Subject: Re: [http-state] Origin cookies and backwards compatibility
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Apr 2011 07:29:45 -0000
On Thu, Apr 7, 2011 at 12:18 AM, Anders Kaseorg <andersk@mit.edu> wrote: > draft-abarth-cake [1] seems to have a problem for servers that want to > maintain compatibility with old clients (which I expect will be most of > them, for a long while). How can the server distinguish a client that > does not support origin cookies from a client that supports them but does > not currently have any to send? Originally, my plan was that the server would set an Origin cookie. The user agent would then return that cookie in the Origin-Cookie header, which would inform the server that the user agent support origin cookies. However, it occurs to me now that there's an issue with the Origin cookie getting evicted. > If the server falls back on the plain Cookie header when Origin-Cookie is > not present in the request, then an attacker can inject a plain cookie via > several well-known methods [2], defeating the purpose of this proposal. Assuming they're able to first evict the Origin cookie. > It seems to me that a client supporting origin cookies ought to be > required to notify the server if it is sending plain cookies but no origin > cookies, so that the server has enough information to decide to ignore the > plain Cookie header from sufficiently new clients. Possibly. There might be other solutions that don't involve spamming every server with the information that the user agent supports Origin cookies. I'll think more about it. > (By the way, there seems to be a typo here: “If the user agent sends the > server both origin and non-origin cookies, the origin cookies are returned > in the Origin-Cookie header field and the non-origin cookies are returned > in the Origin-Cookie header field.”) > > (By the way too, same-origin policies are typically defined using a > (scheme, host, port) tuple [3], but draft-abarth-cake makes no mention of > a port number restriction; is that intentional? A port number restriction > is important for shared virtual hosting environments, where it may be > possible for one user to bind to the shared IP address on a high port > number and steal cookies intended for another user on port 80.) The draft is light on details, but the intention is that Origin cookies are scoped to a specific origin, defined using the usual (scheme, host, port) tuple. Thanks! Adam