IETF Logo Mail Archive

Server/Site opt-in | Re: Formalizing the HTTP State Tokens proposal.

Kari Hurtta <hurtta-ietf@elmme-mailer.org> Wed, 03 April 2019 18:32 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2BC0120130 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 3 Apr 2019 11:32:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.899
X-Spam-Level:
X-Spam-Status: No, score=-2.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IQ8VwTKTqHKH for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 3 Apr 2019 11:32:49 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [IPv6:2603:400a:ffff:804:801e:34:0:38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC87012013F for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 3 Apr 2019 11:32:49 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.89) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1hBkeR-0000sm-HI for ietf-http-wg-dist@listhub.w3.org; Wed, 03 Apr 2019 18:30:19 +0000
Resent-Date: Wed, 03 Apr 2019 18:30:19 +0000
Resent-Message-Id: <E1hBkeR-0000sm-HI@frink.w3.org>
Received: from titan.w3.org ([2603:400a:ffff:804:801e:34:0:4c]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <khurtta@welho.com>) id 1hBkeP-0000jt-P9 for ietf-http-wg@listhub.w3.org; Wed, 03 Apr 2019 18:30:17 +0000
Received: from welho-filter2.welho.com ([83.102.41.24]) by titan.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <khurtta@welho.com>) id 1hBkeL-0005pt-He for ietf-http-wg@w3.org; Wed, 03 Apr 2019 18:30:17 +0000
Received: from localhost (localhost [127.0.0.1]) by welho-filter2.welho.com (Postfix) with ESMTP id 069B4C3F26; Wed, 3 Apr 2019 21:29:45 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter2.welho.com [::ffff:83.102.41.24]) (amavisd-new, port 10024) with ESMTP id kooaGmeMVNxZ; Wed, 3 Apr 2019 21:29:44 +0300 (EEST)
Received: from kasvihuone.keh.iki.fi (89-27-39-95.bb.dnainternet.fi [89.27.39.95]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPS id 70A267A; Wed, 3 Apr 2019 21:28:57 +0300 (EEST)
In-Reply-To: <20190328194046.GA26916@LK-Perkele-VII>
References: <20190328194046.GA26916@LK-Perkele-VII>
To: HTTP Working Group <ietf-http-wg@w3.org>
Date: Wed, 03 Apr 2019 21:28:57 +0300
From: Kari Hurtta <hurtta-ietf@elmme-mailer.org>
CC: Mike West <mkwst@google.com>, Ilari Liusvaara <ilariliusvaara@welho.com>, Kari Hurtta <hurtta-ietf@elmme-mailer.org>
X-Mailer: ELM [version ME+ 2.5 PLalpha49+]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20190403182945.069B4C3F26@welho-filter2.welho.com>
Received-SPF: none client-ip=83.102.41.24; envelope-from=khurtta@welho.com; helo=welho-filter2.welho.com
X-W3C-Hub-Spam-Status: No, score=-4.8
X-W3C-Hub-Spam-Report: AWL=0.824, BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, W3C_AA=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1hBkeL-0005pt-He 7bb09cad9559fd13651cc6eba7942eee
X-Original-To: ietf-http-wg@w3.org
Subject: Server/Site opt-in | Re: Formalizing the HTTP State Tokens proposal.
Archived-At: <https://www.w3.org/mid/20190403182945.069B4C3F26@welho-filter2.welho.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/36499
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

> I see some issues:
> 
> - This mechanism looks to lack server opt-in, which runs into issues
>   with EU "cookie law". Specifically, it does not seem to be possible
>   to use this for any purpose without triggering disclaimer
>   requirements. Whereas there are still usecases cookies that do not
>   necressarily do so (for example, login).

https://tools.ietf.org/html/draft-west-http-state-tokens-00

My suggestion #2 for server opt-in (*)

( This also includes my delivery=none suggestion
  <20190328190729.F36474EEEA@welho-filter4.welho.com>
  https://lists.w3.org/Archives/Public/ietf-http-wg/2019JanMar/0251.html
)

3.1.  HTTP State Tokens
https://tools.ietf.org/html/draft-west-http-state-tokens-00#section-3.1

"delivery" metadata is enum  of either

	  "query", "void", "none",
	  same-origin", "same-site", or "cross-site"

Initial value for "delivery" is "query".

4.1.  The 'Sec-Http-State' HTTP Header Field
https://tools.ietf.org/html/draft-west-http-state-tokens-00#section-4.1

I assume that site / server uses Sec-Http-State: request field for
indication that HTTP State Tokens are supported by browser
(and Cookie need not be generated).

Therefore  "Sec-Http-State:"  dictionary member, whose key is "token",
have value which is ether binary content (sh-binary) or token (sh-token). 

Allowed token (sh-token) values for "token" are
"query" and "void".


4.2.  The 'Sec-Http-State-Options' HTTP Header Field

https://tools.ietf.org/html/draft-west-http-state-tokens-00#section-4.2



"Sec-Http-State-Options:"  dictionary member's,  whose key is
"delivery",  allowed token (sh-token) values 
are  "void", "none", "same-origin", "same-site", or "cross-site"

( Note that "query" is missed. It is just initial value "delivery" metadata
  and can not be set by site / server .)



1) If HTTP State Token's "delivery" property have value "query",
generated request header field is
    
  Sec-HTTP-State: token=query

This indicates that browser supports HTTP State Tokens but
opt-in is needed.

2) If HTTP State Token's "delivery" property have value "void",
generated request header field is

  Sec-HTTP-State: token=void

This indicates that browser supports HTTP State Tokens but
site/server or user is opt-out for  HTTP State Tokens

Site should not longer prompt consent frum user either
(also should not set Cookies either for same reason).


3) If HTTP State Token's "delivery" property have value "none",
 Sec-HTTP-State: request header field is NOT generated.

This is for sites/origins which want minimize request size (these
sites/origins naturally also do NOT set Cooies.) These origins
proviedes static content (images, styles, javascript and so on which
do not need state).


4) If HTTP State Token's "delivery" property have value
 same-origin", "same-site", or "cross-site" then
 "value" property for HTTP State Token is generated
 (256 cryptographically random bits) and
generated request header field is

  Sec-HTTP-State: token=*(base64 encoding of "value" property)*

The 'Sec-Http-State' HTTP Header Field may also include
other dictionat memebers than "token".



If  HTTP State Token's "delivery" property have value "query",
there neeed also method for Javascript to set that
to other value. This allows site/server use Javascript based consent
from user.

( Server / Site can set this with Sec-Http-State-Options:
  response header feld. )


/ Kari Hurtta



(*) My previous suggestion was:

<20180819081635.7C1E4229D@welho-filter3.welho.com>
https://lists.w3.org/Archives/Public/ietf-http-wg/2018JulSep/0222.html

( or perhaps not )

v2.23.0 | Report a Bug | By Email