Server/Site opt-in | Re: Formalizing the HTTP State Tokens proposal.
Kari Hurtta <hurtta-ietf@elmme-mailer.org> Wed, 03 April 2019 18:32 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2BC0120130 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 3 Apr 2019 11:32:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.899
X-Spam-Level:
X-Spam-Status: No, score=-2.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IQ8VwTKTqHKH for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 3 Apr 2019 11:32:49 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [IPv6:2603:400a:ffff:804:801e:34:0:38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC87012013F for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 3 Apr 2019 11:32:49 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.89) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1hBkeR-0000sm-HI for ietf-http-wg-dist@listhub.w3.org; Wed, 03 Apr 2019 18:30:19 +0000
Resent-Date: Wed, 03 Apr 2019 18:30:19 +0000
Resent-Message-Id: <E1hBkeR-0000sm-HI@frink.w3.org>
Received: from titan.w3.org ([2603:400a:ffff:804:801e:34:0:4c]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <khurtta@welho.com>) id 1hBkeP-0000jt-P9 for ietf-http-wg@listhub.w3.org; Wed, 03 Apr 2019 18:30:17 +0000
Received: from welho-filter2.welho.com ([83.102.41.24]) by titan.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <khurtta@welho.com>) id 1hBkeL-0005pt-He for ietf-http-wg@w3.org; Wed, 03 Apr 2019 18:30:17 +0000
Received: from localhost (localhost [127.0.0.1]) by welho-filter2.welho.com (Postfix) with ESMTP id 069B4C3F26; Wed, 3 Apr 2019 21:29:45 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter2.welho.com [::ffff:83.102.41.24]) (amavisd-new, port 10024) with ESMTP id kooaGmeMVNxZ; Wed, 3 Apr 2019 21:29:44 +0300 (EEST)
Received: from kasvihuone.keh.iki.fi (89-27-39-95.bb.dnainternet.fi [89.27.39.95]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPS id 70A267A; Wed, 3 Apr 2019 21:28:57 +0300 (EEST)
In-Reply-To: <20190328194046.GA26916@LK-Perkele-VII>
References: <20190328194046.GA26916@LK-Perkele-VII>
To: HTTP Working Group <ietf-http-wg@w3.org>
Date: Wed, 03 Apr 2019 21:28:57 +0300
From: Kari Hurtta <hurtta-ietf@elmme-mailer.org>
CC: Mike West <mkwst@google.com>, Ilari Liusvaara <ilariliusvaara@welho.com>, Kari Hurtta <hurtta-ietf@elmme-mailer.org>
X-Mailer: ELM [version ME+ 2.5 PLalpha49+]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20190403182945.069B4C3F26@welho-filter2.welho.com>
Received-SPF: none client-ip=83.102.41.24; envelope-from=khurtta@welho.com; helo=welho-filter2.welho.com
X-W3C-Hub-Spam-Status: No, score=-4.8
X-W3C-Hub-Spam-Report: AWL=0.824, BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, W3C_AA=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1hBkeL-0005pt-He 7bb09cad9559fd13651cc6eba7942eee
X-Original-To: ietf-http-wg@w3.org
Subject: Server/Site opt-in | Re: Formalizing the HTTP State Tokens proposal.
Archived-At: <https://www.w3.org/mid/20190403182945.069B4C3F26@welho-filter2.welho.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/36499
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
> I see some issues: > > - This mechanism looks to lack server opt-in, which runs into issues > with EU "cookie law". Specifically, it does not seem to be possible > to use this for any purpose without triggering disclaimer > requirements. Whereas there are still usecases cookies that do not > necressarily do so (for example, login). https://tools.ietf.org/html/draft-west-http-state-tokens-00 My suggestion #2 for server opt-in (*) ( This also includes my delivery=none suggestion <20190328190729.F36474EEEA@welho-filter4.welho.com> https://lists.w3.org/Archives/Public/ietf-http-wg/2019JanMar/0251.html ) 3.1. HTTP State Tokens https://tools.ietf.org/html/draft-west-http-state-tokens-00#section-3.1 "delivery" metadata is enum of either "query", "void", "none", same-origin", "same-site", or "cross-site" Initial value for "delivery" is "query". 4.1. The 'Sec-Http-State' HTTP Header Field https://tools.ietf.org/html/draft-west-http-state-tokens-00#section-4.1 I assume that site / server uses Sec-Http-State: request field for indication that HTTP State Tokens are supported by browser (and Cookie need not be generated). Therefore "Sec-Http-State:" dictionary member, whose key is "token", have value which is ether binary content (sh-binary) or token (sh-token). Allowed token (sh-token) values for "token" are "query" and "void". 4.2. The 'Sec-Http-State-Options' HTTP Header Field https://tools.ietf.org/html/draft-west-http-state-tokens-00#section-4.2 "Sec-Http-State-Options:" dictionary member's, whose key is "delivery", allowed token (sh-token) values are "void", "none", "same-origin", "same-site", or "cross-site" ( Note that "query" is missed. It is just initial value "delivery" metadata and can not be set by site / server .) 1) If HTTP State Token's "delivery" property have value "query", generated request header field is Sec-HTTP-State: token=query This indicates that browser supports HTTP State Tokens but opt-in is needed. 2) If HTTP State Token's "delivery" property have value "void", generated request header field is Sec-HTTP-State: token=void This indicates that browser supports HTTP State Tokens but site/server or user is opt-out for HTTP State Tokens Site should not longer prompt consent frum user either (also should not set Cookies either for same reason). 3) If HTTP State Token's "delivery" property have value "none", Sec-HTTP-State: request header field is NOT generated. This is for sites/origins which want minimize request size (these sites/origins naturally also do NOT set Cooies.) These origins proviedes static content (images, styles, javascript and so on which do not need state). 4) If HTTP State Token's "delivery" property have value same-origin", "same-site", or "cross-site" then "value" property for HTTP State Token is generated (256 cryptographically random bits) and generated request header field is Sec-HTTP-State: token=*(base64 encoding of "value" property)* The 'Sec-Http-State' HTTP Header Field may also include other dictionat memebers than "token". If HTTP State Token's "delivery" property have value "query", there neeed also method for Javascript to set that to other value. This allows site/server use Javascript based consent from user. ( Server / Site can set this with Sec-Http-State-Options: response header feld. ) / Kari Hurtta (*) My previous suggestion was: <20180819081635.7C1E4229D@welho-filter3.welho.com> https://lists.w3.org/Archives/Public/ietf-http-wg/2018JulSep/0222.html ( or perhaps not )
- Formalizing the HTTP State Tokens proposal. Mike West
- Re: Formalizing the HTTP State Tokens proposal. Kari Hurtta
- Re: Formalizing the HTTP State Tokens proposal. Kari Hurtta
- Re: Formalizing the HTTP State Tokens proposal. Ilari Liusvaara
- Server/Site opt-in | Re: Formalizing the HTTP Sta… Kari Hurtta
- same-site |Re: Formalizing the HTTP State Tokens … Kari Hurtta
- delivery=same-origin | Re: Formalizing the HTTP S… Kari Hurtta
- cross-site | Re: Formalizing the HTTP State Token… Kari Hurtta
- key, register | Re: Formalizing the HTTP State To… Kari Hurtta
- Server/Site opt-in #2 | Re: Formalizing the HTTP … Kari Hurtta
- Signature | Re: Formalizing the HTTP State Tokens… Kari Hurtta
- Signature #2: No CBOR | Re: Formalizing the HTTP … Kari Hurtta