Re: Origin cookies
Mike West <mkwst@google.com> Mon, 27 October 2014 07:43 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 97E981A8A08 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 27 Oct 2014 00:43:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.689
X-Spam-Level:
X-Spam-Status: No, score=-3.689 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ROsoDVnh_O08 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 27 Oct 2014 00:43:52 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A8A5A1A89C6 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 27 Oct 2014 00:43:52 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1Xiew0-0007jR-HY for ietf-http-wg-dist@listhub.w3.org; Mon, 27 Oct 2014 07:41:48 +0000
Resent-Date: Mon, 27 Oct 2014 07:41:48 +0000
Resent-Message-Id: <E1Xiew0-0007jR-HY@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <mkwst@google.com>) id 1Xievv-0007iO-MM for ietf-http-wg@listhub.w3.org; Mon, 27 Oct 2014 07:41:43 +0000
Received: from mail-la0-f45.google.com ([209.85.215.45]) by lisa.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <mkwst@google.com>) id 1Xievu-0003MV-PS for ietf-http-wg@w3.org; Mon, 27 Oct 2014 07:41:43 +0000
Received: by mail-la0-f45.google.com with SMTP id gm9so3892191lab.18 for <ietf-http-wg@w3.org>; Mon, 27 Oct 2014 00:41:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=BD/1dxzqiDyIpTI2I4mWHtnBONJJc/s6dvfLt+CHaCE=; b=cS+1TEFqn3ma/CV+7r0vUkOtdUt6Rod66ih4HmvHs3SUG8+k86HZkly2DlZfYdQLfM rR7VIAfKjsj9jVQoEsBaJjsa/1N+9XZdQuz+OWV18G5KlOkUcE6xzIz5rSumsG7ZMfC4 me/Mw3d4oSq20gi6LFrGJ/9MTRuTgzd5Ih/tWTvtQdp2lDaf23QOLwfnt+axhDMwXpVR ZvquIcsZxCg0k7xLbPWFmk7yKxm5oXIo7RAGy4jkngrvMHybuGKwXjYbTiGDl9a083CG nD5rNIlH6T0m6GDh1oBWjkRRgrs1yUH46dIu2nJnA9fjIbG2gRqVF5CFTBDn7AdXgQRg g9/A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=BD/1dxzqiDyIpTI2I4mWHtnBONJJc/s6dvfLt+CHaCE=; b=mi/fXMQChu6Vqte4+WNys71jGfXtIuK5v1sE8k/zzCbtqVqfesM9zNMwx59Rude8lk OvtXV4T7/zymkmDYBDfsy8xpUgx5SGdmD/9cCsjfquG7it572FfB6p/1zkZT4KTesyNr VGSOHCpn+N+ZegbLpLAkgdD37ahpShQgit1DRQZVUUDjiIjMszvmbRW20r73EW4wxc+9 Rm74iL1bhzmySnhSZ3CG84ghWGrIO7aEC5zSit691RdROtHgm+j7QfHfvEbKY3ZaxUtC P0V/aajLptLj8HRSmoTModrIOyPmW7PXAUpyuzi/6esaeH7RxSf5FbC4dYI4nXlaaeHb 7DOg==
X-Gm-Message-State: ALoCoQlNOq+rpjFKSqyfnP4FhJ1G0Hq+92NzIB3JRNVQlx3gAjm/O/6TlgqEb13kRRwm/qrRfKzq
X-Received: by 10.152.43.229 with SMTP id z5mr7452311lal.86.1414395675964; Mon, 27 Oct 2014 00:41:15 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.152.7.174 with HTTP; Mon, 27 Oct 2014 00:40:55 -0700 (PDT)
In-Reply-To: <CE365B65-4455-4B65-9115-9C37852FAB67@gmail.com>
References: <CABkgnnVtQ4SaexF9aD_y8MBaKdOx-bSxM-BxW8jsm5_P=+UyEw@mail.gmail.com> <CAKXHy=ctY=i_6XuqZ-1FuO6OhCo9wuu5CRi1c=7aXQEdWAMH+A@mail.gmail.com> <CABkgnnXYgEo-CHbvwQrjYy6ByrEfC17VgJzeP7PVK+9=69kPMQ@mail.gmail.com> <CAKXHy=cuJbptaDFWKwLTmi7qN=kTohjmsMQ6=QMLkYgxcY7sdA@mail.gmail.com> <CABkgnnUp47ayaTOu1EOAx8b+3OWOvvcNVAoEqXV3336CU2=3CA@mail.gmail.com> <CAKXHy=ekENDs+JKaWMsDCv0LyNPXmc5U3AstVvEtx6w=gizaQQ@mail.gmail.com> <CABkgnnU3LtyRby1E-pstHvZ1T44wiFrF6=rsE2Hxg2rKYAYpqQ@mail.gmail.com> <CAKXHy=cC_0EfarB_RrjyBH52+GWxxFCyCzORtraaRYh=ApdEyA@mail.gmail.com> <CACuKZqFwfnEbTJRCBSWs95B9QYKKOZ3t-jY3Pp58S7bwakZ5=w@mail.gmail.com> <CE365B65-4455-4B65-9115-9C37852FAB67@gmail.com>
From: Mike West <mkwst@google.com>
Date: Mon, 27 Oct 2014 08:40:55 +0100
Message-ID: <CAKXHy=cW-5+aHqi0ULB-dAGr7CZ+ZYnipKabt0yaHVb58-DO7Q@mail.gmail.com>
To: Yoav Nir <ynir.ietf@gmail.com>
Cc: Zhong Yu <zhong.j.yu@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="001a11c22216d6a0eb050662a7fa"
Received-SPF: pass client-ip=209.85.215.45; envelope-from=mkwst@google.com; helo=mail-la0-f45.google.com
X-W3C-Hub-Spam-Status: No, score=-4.8
X-W3C-Hub-Spam-Report: AWL=-1.533, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.56, SPF_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1Xievu-0003MV-PS 18aed9904554668f180d031af181b5e1
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Origin cookies
Archived-At: <http://www.w3.org/mid/CAKXHy=cW-5+aHqi0ULB-dAGr7CZ+ZYnipKabt0yaHVb58-DO7Q@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/27752
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On Sun, Oct 26, 2014 at 2:06 PM, Yoav Nir <ynir.ietf@gmail.com> wrote: > For example, my company has a public web site checkpoint.com, that is > pretty much a “storefront” type website. It’s probably running on Apache or > nginx and written by website designers. We have a > supportcenter.checkpoint.com that has support articles, price lists and > the like, and written by different website designers. Then we have > exchange.checkpoint.com that is a Microsoft server, A SAP portal written > by SAP, and even sslvpn.checkpoint.com (now disabled) that runs (not > surprisingly) an SSL-VPN solution written by us. > > So no, you can’t assume that subdomains are written by the same people. > Note also that in the presence of an active network attacker with control of DNS (e.g. your local coffee shop), _every_ origin has attacker controlled subdomains served over HTTP. -mike -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
- Origin cookies Martin Thomson
- Re: Origin cookies Mike West
- Re: Origin cookies Martin Thomson
- Re: Origin cookies Mike West
- Re: Origin cookies Martin Thomson
- Re: Origin cookies Mike West
- Re: Origin cookies Mike West
- Re: Origin cookies Martin Thomson
- Re: Origin cookies Martin Thomson
- Re: Origin cookies Zhong Yu
- Re: Origin cookies Martin Thomson
- Re: Origin cookies Yoav Nir
- Re: Origin cookies Mike West
- Re: Origin cookies Mike West
- Re: Origin cookies Zhong Yu
- Re: Origin cookies Yoav Nir