Cookies and schemes.

Mike West <> Mon, 09 March 2020 08:55 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6BB4E3A0A90 for <>; Mon, 9 Mar 2020 01:55:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -9.991
X-Spam-Status: No, score=-9.991 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id dTJ-83Cr_S6I for <>; Mon, 9 Mar 2020 01:55:24 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1BD393A0A78 for <>; Mon, 9 Mar 2020 01:55:23 -0700 (PDT)
Received: from lists by with local (Exim 4.92) (envelope-from <>) id 1jBE95-0002Ao-SG for; Mon, 09 Mar 2020 08:52:20 +0000
Resent-Date: Mon, 09 Mar 2020 08:52:19 +0000
Resent-Message-Id: <>
Received: from ([]) by with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <>) id 1jBE90-0002A1-1l for; Mon, 09 Mar 2020 08:52:14 +0000
Received: from ([2a00:1450:4864:20::22d]) by with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <>) id 1jBE8x-000522-S7 for; Mon, 09 Mar 2020 08:52:13 +0000
Received: by with SMTP id d12so9035490lji.4 for <>; Mon, 09 Mar 2020 01:52:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=xNOoV7bi6x9ImlnnvsSH4MNMO5tC+cX4e1NKmNuJhDQ=; b=ryL1/BJq9U0iLzjYovZuA5uGshmoiTLxVgmJGJ+mR48m+K07R4VdxaVcGwiw4Dc+S4 B52U4e5Zq2OVgXEm+jjdYdo8qkyIWCKMW0Mr5CV9Lt4UzuG5QM7wZtkaOmtsBEi5NJuO Qn+3IOS230yUoZqxzpcZAhg0XM38WWAFbdY9eUJboty/yIT2Fq4k3qCrc6bRaxtQPALv xiwtiIQi8n7F9mrl1RtdMavCiWuP84zkC6rYaDTXmCcSn82QHpIbMKZUXa1PcQAVTIA4 3r2U6+L4UMTBVbmTA65qpMfct7newk1YhrL8SnMTc08Br1tOuhfUxJJOGStoTrmqnPjT 1rIQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=xNOoV7bi6x9ImlnnvsSH4MNMO5tC+cX4e1NKmNuJhDQ=; b=sh3KT3ylk1k67gX/TWUGfGC7/Zf59JkU+s6A5PEvNWtjZs/DktwpkRodGeGoXY5xc7 H5gaT+A2oCpSCzgNn3/+5ptseMtQwTw25ur5gYOFzE7uq4Zz15ya08FUigTAb5ndDM+P mYy6PPu9yPhqHkx3TUwxP0vDLyxNbciI/L9A58Sk/eDBc6wWJeYwFQaUfeqVcC74yAUr INiO1Nhy9FJZ79ryEx+qXdGvH1bNy0q/Y873BtOQP9Kw0a5d2mXbjAcvRGPTV1RLe+mb Mj0WLkQ3ui1DAai50U6eskevc3GvC7xOaWuCJDArsNNxMD9yPN6RGYF6yC3pb98JVz/H Z1Mw==
X-Gm-Message-State: ANhLgQ2OM1YFDhZiI4lupI3zlt1rdBvB2gBK4j3CMco4Em4oxLK3PpZ9 H/PCLrjyVLqUkKueZ/Y2+tEkY2HU7nc1psUEVyEASnrpn9zlyUxP
X-Google-Smtp-Source: ADFU+vshcNVLZEmrxp+9VeovlHesrGQIa/Qn7OmfFP9O/0S6u4ZYKadCWQJnASrkjQ9Wm7U2FzNQUesRG2rKXpYlnco=
X-Received: by 2002:a05:651c:3cc:: with SMTP id f12mr8366905ljp.163.1583743919011; Mon, 09 Mar 2020 01:51:59 -0700 (PDT)
MIME-Version: 1.0
From: Mike West <>
Date: Mon, 09 Mar 2020 09:51:46 +0100
Message-ID: <>
To: HTTP Working Group <>
Content-Type: multipart/alternative; boundary="000000000000b72e2905a0681dc8"
Received-SPF: pass client-ip=2a00:1450:4864:20::22d;;
X-W3C-Hub-Spam-Status: No, score=-24.3
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: 1jBE8x-000522-S7 8180aa6e15a3d030c7c1bd7e36dbbb52
Subject: Cookies and schemes.
Archived-At: <>
X-Mailing-List: <> archive/latest/37423
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>

Hey folks!

We've known for quite some time that cookies' lack of respect for the
scheme that created them was an unfortunate choice that means cookies can
give only weak guarantees of confidentiality
<>. We further know that
long-lived non-secure cookies create real risks for users (pervasive
monitoring, data safety, etc).

Martin Thomson's is
one take on an approach to mitigating these risks. is another. Neither took
off when they were proposed, but they seem to me to be clearly good ideas,
at least directionally. Given the state of the world today, and the
significant migration from HTTP to HTTPS we've seen in the past few years,
I'd like to try tilting at this particular windmill again: proposes two changes:

1. We teach cookies about schemes, and lock them to the scheme that set
them (just like every other web-facing storage mechanism).

2. We curtail non-secure schemes' cookies' lifetime by agreeing on a set of
heuristics for a user's "session" on a given site, and culling cookies when
a site's session expires.

The explainer tries to work through each of those and their implications in
a little more detail. I'd appreciate feedback, either here or in the GitHub
repo. :)