Re: [http-state] cake spec: server-side initiation only?
Adam Barth <ietf@adambarth.com> Sat, 04 December 2010 00:03 UTC
Return-Path: <ietf@adambarth.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 43DFA3A69D8 for <http-state@core3.amsl.com>; Fri, 3 Dec 2010 16:03:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.712
X-Spam-Level:
X-Spam-Status: No, score=-3.712 tagged_above=-999 required=5 tests=[AWL=-1.335, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, J_CHICKENPOX_33=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FWMIAS8Ep7sn for <http-state@core3.amsl.com>; Fri, 3 Dec 2010 16:03:37 -0800 (PST)
Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by core3.amsl.com (Postfix) with ESMTP id 4C89D28C119 for <http-state@ietf.org>; Fri, 3 Dec 2010 16:03:37 -0800 (PST)
Received: by ywi6 with SMTP id 6so999234ywi.31 for <http-state@ietf.org>; Fri, 03 Dec 2010 16:04:55 -0800 (PST)
Received: by 10.150.97.1 with SMTP id u1mr4892806ybb.74.1291421095335; Fri, 03 Dec 2010 16:04:55 -0800 (PST)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by mx.google.com with ESMTPS id q31sm1604047yba.18.2010.12.03.16.04.54 (version=SSLv3 cipher=RC4-MD5); Fri, 03 Dec 2010 16:04:54 -0800 (PST)
Received: by iwn40 with SMTP id 40so12346268iwn.31 for <http-state@ietf.org>; Fri, 03 Dec 2010 16:04:53 -0800 (PST)
Received: by 10.231.17.1 with SMTP id q1mr2493373iba.153.1291421093318; Fri, 03 Dec 2010 16:04:53 -0800 (PST)
MIME-Version: 1.0
Received: by 10.231.12.77 with HTTP; Fri, 3 Dec 2010 16:04:22 -0800 (PST)
In-Reply-To: <SNT129-DS18EED7DB682AB192036942A4280@phx.gbl>
References: <AANLkTimDRJkwXoXt-2Lm6qNjEVcRN5bqdN01_G2+8Df_@mail.gmail.com> <SNT129-DS18EED7DB682AB192036942A4280@phx.gbl>
From: Adam Barth <ietf@adambarth.com>
Date: Fri, 03 Dec 2010 16:04:22 -0800
Message-ID: <AANLkTinOOF5gFnr-duygSarpE1LzsbP1EAgoYW2y-y-v@mail.gmail.com>
To: Mike Wilson <mikewse@hotmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: http-state@ietf.org
Subject: Re: [http-state] cake spec: server-side initiation only?
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Dec 2010 00:03:38 -0000
On Fri, Dec 3, 2010 at 3:48 PM, Mike Wilson <mikewse@hotmail.com> wrote: > Adam Barth wrote: >> On Fri, Dec 3, 2010 at 12:01 PM, Mike Wilson >> <mikewse@hotmail.com> wrote: >> > Reading http://www.ietf.org/id/draft-abarth-cake-00.txt, >> > I wonder if client-side nonce generation (as initially >> > proposed on the mailing list) was dropped altogether or >> > just hasn't been speced yet? >> >> [...] >> >> Set-Cookie: foo=bar; Origin >> >> Using the Origin attribute sets the scope of the cookie to the current >> origin (scheme, host, and port). The Origin attribute overrides the >> Domain and Path attributes. Additionally, the cookie is returned to >> the server in the Origin-Cookie header: >> >> Origin-Cookie: foo=bar >> >> The reason we return the cookie in a separate header is so the server >> can know that the cookie was set by its own origin. If we returned >> the cookie in the Cookie header, then an attacker could inject a >> non-Origin cookie with the same name and confuse the server. > > Ok, so you are thinking about an extension to cookies instead of > a new cake mechanism. The question boils down to how you expect web sites to interact with both new and old user agents. I don't think this is a settled question. Originally, I didn't see how to integrate with cookies and still get the security properties we want. >> On Fri, Dec 3, 2010 at 12:02 PM, Mike Wilson >> <mikewse@hotmail.com> wrote: >> > Earlier this year [1] we discussed state scoped on individual >> > windows or tabs: >> > >> > [...] >> > >> > I see that you have addressed CSRF in cakes. Were/are you thinking >> > that cakes is the better place to add future window scopes to? >> >> Independently of the Origin attribute, I think an "instance" attribute >> make sense. Here we'd want to follow the same scoping rules as >> sessionStorage (at the application layer). In particular, each tab >> has a separate scope, but if one tab is created from another, it >> starts off with a clone of the previous tab's state. > > I think more scopes than user_agent and browsing_context could be > interesting so I would not go for a boolean attribute. > Anyway, is now a good time to start looking at these factors, or > is there other work you want to finish first? I've been holding off discussing these topics until we're done with the basic cookie spec. That seems to be mostly wrapping up. This working group isn't charted to work on improvements to the cookie protocol, but I suspect Jeff would indulge us if we wanted to discuss it for a bit. Adam