IETF Logo Mail Archive

Re: Defining First and Third Party Cookies

Mike West <mkwst@google.com> Mon, 22 February 2016 12:49 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40C5B1A1ABE for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 22 Feb 2016 04:49:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.385
X-Spam-Level:
X-Spam-Status: No, score=-6.385 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.006, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i7HX9ow1vaio for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 22 Feb 2016 04:49:22 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DBA0B1A0173 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 22 Feb 2016 04:49:21 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1aXpsO-0007bt-JX for ietf-http-wg-dist@listhub.w3.org; Mon, 22 Feb 2016 12:46:08 +0000
Resent-Date: Mon, 22 Feb 2016 12:46:08 +0000
Resent-Message-Id: <E1aXpsO-0007bt-JX@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <mkwst@google.com>) id 1aXpsJ-0007bC-RO for ietf-http-wg@listhub.w3.org; Mon, 22 Feb 2016 12:46:03 +0000
Received: from mail-lf0-f42.google.com ([209.85.215.42]) by maggie.w3.org with esmtps (TLS1.2:RSA_ARCFOUR_SHA1:128) (Exim 4.80) (envelope-from <mkwst@google.com>) id 1aXpsG-000682-P8 for ietf-http-wg@w3.org; Mon, 22 Feb 2016 12:46:03 +0000
Received: by mail-lf0-f42.google.com with SMTP id l143so92795574lfe.2 for <ietf-http-wg@w3.org>; Mon, 22 Feb 2016 04:45:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=X2Ug+itGfVTnx1IsmkAgIGew/XrO8JctVA0FyqA9rEI=; b=Lu1hfO5Z2HvTFgeuqecI7wf/WxwMLPnzXXMP7OTgTJIA0Kui/7Veg1eUJ2R2OljyEU xzywUTNzMSA08zJqLiGyckJZ0jxF1e/k7szjDODXmeV9nNZjk1sMd7KE06brEJv8UCIL 8YGCv+3wxY5KKm/H8IRJVIqgiMZgqrbZwSgXrmEG+lUE66p614DYGviLRTw2xFbpCMLv b+9476nRtldGrn+3kH94mpdFXeDI8P2t7VRjl3tT4j+mlelfER4sNbE9GvvZTNbp/Dix 2uXOflvj1LDXq+M3z8eC5Bmwrens+2uiOBuak1y1LD7nag3NAjKisLbk5D6GZXc+QoOC 2E+w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=X2Ug+itGfVTnx1IsmkAgIGew/XrO8JctVA0FyqA9rEI=; b=J0romlzFK/B6gggs5DYjLrzQfI04faBGsGmqtHI/n2PQhmLuSQ8u7VAeh57WkaoBg7 Wwfl8kR7FKeao9/X05b2+6A+6QHLgbaAbNshG0K5eL5jRz9DDXFwwN7XNSZ4AvRB0uQM /yxyDywhSbl0y42dnahaXb/429STW4h1c5HY47u4EknEXJCgywjKd2JuNNGBWkhaUCwI xmV1tOqZLSoV3e58qBdrUa8BxyGNgOmX8PFm7e4x3m22awXbf160hdidpKN98YtGKBFy TIN8P50nvL52/0WOZRp1MhIg/vbviwCZQsdsgkRo0gwcXmXrbfNiZwugDf8KKkRA1Rgs Sv/w==
X-Gm-Message-State: AG10YOTosYp5JuhWxIH1vvKySqgygOJ0PwRfSPDJWqfLfaXvaVhtWpx85T5iIk7H101HBFfOHTpk9f/xakZHp89h
X-Received: by 10.25.8.4 with SMTP id 4mr10237752lfi.164.1456145133409; Mon, 22 Feb 2016 04:45:33 -0800 (PST)
MIME-Version: 1.0
Received: by 10.112.170.98 with HTTP; Mon, 22 Feb 2016 04:45:13 -0800 (PST)
In-Reply-To: <CA5E3B51-72F3-4BA8-9D78-472AE0EA0710@mnot.net>
References: <0F099912-9E26-4EEF-A5E7-9D01DE045377@mnot.net> <8B504522-E2A9-4357-9DCF-BB353CCC5971@gbiv.com> <CAKXHy=dBZOd1KFqrgCuA7Fy=s760V3xLcH5MLAq9-HR3f2NPfw@mail.gmail.com> <778F0006-6CD9-4832-837C-0423B7A64C7D@gbiv.com> <CAKXHy=evN0KJGRrfvA0ia7qWcQGjzqW7owy5=R1KNaww4gn8gA@mail.gmail.com> <CA5E3B51-72F3-4BA8-9D78-472AE0EA0710@mnot.net>
From: Mike West <mkwst@google.com>
Date: Mon, 22 Feb 2016 13:45:13 +0100
Message-ID: <CAKXHy=e2EYaxXkwquBonvV3Wt_n9seo4BjO1b_z9WF3Krwyj1w@mail.gmail.com>
To: Mark Nottingham <mnot@mnot.net>, Anne van Kesteren <annevk@annevk.nl>
Cc: Roy Fielding <fielding@gbiv.com>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="001a113e5e466b77fa052c5b35a5"
Received-SPF: pass client-ip=209.85.215.42; envelope-from=mkwst@google.com; helo=mail-lf0-f42.google.com
X-W3C-Hub-Spam-Status: No, score=-7.9
X-W3C-Hub-Spam-Report: AWL=1.838, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: maggie.w3.org 1aXpsG-000682-P8 f908411d5bff443649ee7115923f5951
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Defining First and Third Party Cookies
Archived-At: <http://www.w3.org/mid/CAKXHy=e2EYaxXkwquBonvV3Wt_n9seo4BjO1b_z9WF3Krwyj1w@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/31089
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Mon, Feb 22, 2016 at 5:26 AM, Mark Nottingham <mnot@mnot.net> wrote:

> <https://tools.ietf.org/html/rfc6265#section-7.1> already talks about
> "third-party cookies." So we need to figure out what to do about that. It'd
> be awfully awkward to have both "same-site" and "third-party" as supposedly
> complementary terms.
>
> We could either change "third-party", or clarify that we're using
> technical terms about the scope of cookies, not ownership (as it is in
> DNT's definition).  IMHO the latter is more straightforward; new
> terminology for existing concepts has trouble getting traction (as we've
> seen with the rebranding of conneg methods).
>
> Thoughts?
>

It starts to get a little bit complicated when you look at the current
behavior of today's browsers. I'll talk about Chrome here (and use
"first-party" and "third-party" terminology, as that's what Chrome's code
uses), but my understanding is that other browsers have similar concepts
and behaviors:

1.  Requests have a "first-party for cookies" and an "initiator", which
both begin with a value more or less exactly equal to the "site for
cookies" concept defined in
https://tools.ietf.org/html/draft-west-first-party-cookies-06#section-2.1.1
(code
somewhere near [1]).

2.  During top-level navigations (including redirects), Chrome updates the
request's "first-party for cookies" to be the URL the user is navigating
_to_ (code somewhere near [2]).

3.  The "initiator" never changes.

This means that when "https://example.com/" requests a subresource (script,
image, etc) from "https://not-example.net/", that request has a
"first-party for cookies" of "https://example.com/" (which makes it a
"third-party" request), and an "initiator" of "https://example.com/" (which
makes it not "same-site").

If a user navigates the top-level window from "https://example.com/" to "
https://not-example.net/", that navigation has a "first-party for cookies"
of "https://not-example.net/" ("first-party"), and an "initiator" of "
https://example.com/" (not "same-site").

If a user navigates the top-level window from "https://example.com/" to "
https://not-example.net/", which 302's the user to "
https://another-example.org/", then two requests are generated with a
"first-party for cookies" of "https://not-example.net/" and "
https://another-example.org/" respectively (both "first-party"), and an
"initiator" of "https://example.com/" (not "same-site").

[1]:
https://code.google.com/p/chromium/codesearch#chromium/src/third_party/WebKit/Source/core/dom/Document.cpp&q=Document::firstPartyForCookies&sq=package:chromium&l=4163

[2]:
https://code.google.com/p/chromium/codesearch#chromium/src/net/url_request/url_request_job.cc&l=944

Also, Mike - I find myself wondering about the relationship between your
> definition of determining third-party and how Origin is computed. Looking
> at the specs involved (Origin Concept, HTML5 and Fetch), it appears that
> most of the logic for determining the calling context for Origin is in
> HTML/Fetch, with the Origin RFC being pretty handwavy about it <
> http://tools.ietf.org/html/rfc6454#section-7.2>:
>
> """
> When included in an HTTP request, the Origin header field indicates the
> origin(s) that "caused" the user agent to issue the request, as defined by
> the API that triggered the user agent to issue the request.
> """
>
> Given that, it seems odd to have such precision about computing Cookie
> scope in the cookie spec; if feels like the way that you compute calling
> context for both is going to be about the same, and so should be specified
> in the same place. Or am I misunderstanding something?
>

I think we need precision somewhere. I'm fairly agnostic about where that
somewhere might be. Adding Anne, who might be interested in defining terms
like these in Fetch?

-mike

v2.31.3 | Report a Bug | By Email | System Status