Harmonizing draft-west-cookie-prefixes-05 with the web origin concept
Adam Barth <w3c@adambarth.com> Wed, 23 December 2015 05:16 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9DF21AC42B for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 22 Dec 2015 21:16:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.289
X-Spam-Level:
X-Spam-Status: No, score=-6.289 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LOddLZSwbxpa for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 22 Dec 2015 21:16:48 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 801C91AC41F for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 22 Dec 2015 21:16:48 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1aBbjN-0005Yf-9i for ietf-http-wg-dist@listhub.w3.org; Wed, 23 Dec 2015 05:12:57 +0000
Resent-Date: Wed, 23 Dec 2015 05:12:57 +0000
Resent-Message-Id: <E1aBbjN-0005Yf-9i@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <adam@adambarth.com>) id 1aBbjF-0005Xp-Cb for ietf-http-wg@listhub.w3.org; Wed, 23 Dec 2015 05:12:49 +0000
Received: from mail-wm0-f47.google.com ([74.125.82.47]) by lisa.w3.org with esmtps (TLS1.2:RSA_ARCFOUR_SHA1:128) (Exim 4.80) (envelope-from <adam@adambarth.com>) id 1aBbjD-0004kh-5b for ietf-http-wg@w3.org; Wed, 23 Dec 2015 05:12:48 +0000
Received: by mail-wm0-f47.google.com with SMTP id p187so131472291wmp.0 for <ietf-http-wg@w3.org>; Tue, 22 Dec 2015 21:12:26 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-type; bh=GgHJdWPlE4gwQKco+UZ46Y6z5Nbih+KrI9yH8hvXZdY=; b=fO9H1bUxpKDBRW3ePbxElu/CWsw5xnLki4Ok1tPNa4bWusmTHoknerBK+tKWcuU6Yx EmXhTMHVA8PHABMGTj3a4I/vhJ+qM5+uTDRtUG6y37cjTUlJmFrgVTNpTtnzkmj/TtQD UeFaNuL5zYHn/XT7JkH9P93/ktjkV5gLno8WWquns1gO0b3cHqfluGzUp6jPROmJyDt0 N/MYUp8QZ6kukcl11mmZvU8T6zALdj8TQnLxS8Hn1NbnNg3TUXxO6jzg3+ZAyf05gAPD 2SbdwBkkTcQOAF81NDNYt+9ptsHMRPhgF6vEcIMLydL4EIi9H4ptCbvVXYwV2dPKdqOf AcUQ==
X-Gm-Message-State: ALoCoQm+QZ3kJvLaOcJY4M5OpLmn9v+5qMut3q2bf55xS8bCARaI5cDVeXgo277TB3OXRAY0jSWzuxfqa/zkEDwSnQgA8smMuQ==
X-Received: by 10.194.110.35 with SMTP id hx3mr36957735wjb.0.1450847540611; Tue, 22 Dec 2015 21:12:20 -0800 (PST)
MIME-Version: 1.0
Received: by 10.27.89.138 with HTTP; Tue, 22 Dec 2015 21:12:01 -0800 (PST)
From: Adam Barth <w3c@adambarth.com>
Date: Tue, 22 Dec 2015 21:12:01 -0800
Message-ID: <CADBiRd373aPUXeZ+6ZrYM1273H3-AVDSpLJxXLMUaj9Nvixypg@mail.gmail.com>
To: httpbis <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="089e010d84a4482150052789c4f0"
Received-SPF: none client-ip=74.125.82.47; envelope-from=adam@adambarth.com; helo=mail-wm0-f47.google.com
X-W3C-Hub-Spam-Status: No, score=-6.8
X-W3C-Hub-Spam-Report: AWL=-0.151, BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: lisa.w3.org 1aBbjD-0004kh-5b eec8d41186701edfe15b976a12a5e8ea
X-Original-To: ietf-http-wg@w3.org
Subject: Harmonizing draft-west-cookie-prefixes-05 with the web origin concept
Archived-At: <http://www.w3.org/mid/CADBiRd373aPUXeZ+6ZrYM1273H3-AVDSpLJxXLMUaj9Nvixypg@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/30819
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
== Issues with draft-west-cookie-prefixes-05 == 1) As currently written, the __Secure- prefix is not as secure as the __Host- prefix because it supports the Domain attribute. For example, if you wanted to recommend the most secure way to use cookies (including this feature), you'd recommend using __Host- rather than __Secure-. In order for the names of the protocol elements to be self-describing, we should use __Secure- for the most secure option. 2) Even with these extensions, there's still no way to use cookies in a way that matches the web origin concept. Specifically, even if you use __Host- and set all the attribute correctly, your cookies are still shared between all the ports on a given host, which is different than web origins because web origins are determined by the scheme, host, and port. Security problems commonly arise because these sorts of "cracks" between different security models. For better security, there should be a way to use cookies with a security model that matches up with web origins. == Proposal == I'm sure there will be endless bikeshedding about the syntax for cookie prefixes, but I'd like to make a proposal for a slightly different syntax (with different semantics) that addresses the issues I've raised above: Set-Cookie: ['self']-SID=12345; Secure; Path=/ Set-Cookie: [*.example.com]-SID=12345; Secure; Domain=example.com Set-Cookie: [*.example.com:*]-SID=12345; Secure; Domain=example.com Set-Cookie: [/foo/bar]-SID=12345; Secure; Path=/foo/bar In this approach, the cookie prefix indicates the scope of the cookie: * In the first example, the prefix ['self']- restricts the scope of the cookie to the scheme, host, and port from which the cookie was set. * In the second example, the cookie's scope is example.com and all of its subdomains, but restricted to the original port. * In the third example, the scope is expanded to include all the ports. * In the fourth example, the scope is the current scheme, host, and port as well as the path /foo/bar. I've borrowed the syntax from CSP's source-list: < http://www.w3.org/TR/CSP2/#source-list-syntax>. Specifically, the grammar for what goes inside the brackets would be roughly: "'self'" / host-source / path-part Obviously, we can continue to bikeshed the syntax, but this syntax also lets you use a short sequence when you want to match the web origin exactly: [/]- More controversially, we might want to make these prefixes *authoritative* for the scope, meaning they would override any scope-related cookie attributes. In the near term, we would still recommend that servers send the cookie attributes as well as the prefixes, but having the prefixes override the attributes gives us the flexibility in the future to depreciate the scoping attributes. Adam
- Harmonizing draft-west-cookie-prefixes-05 with th… Adam Barth
- Re: Harmonizing draft-west-cookie-prefixes-05 wit… Willy Tarreau
- Re: Harmonizing draft-west-cookie-prefixes-05 wit… Mike West
- Re: Harmonizing draft-west-cookie-prefixes-05 wit… Mike West
- Re: Harmonizing draft-west-cookie-prefixes-05 wit… Emily Stark (Dunn)