"Origin locked" cookie prefix - draft-ietf-httpbis-rfc6265bis-06

Paolo Argentieri <paolo.argentieri@laserfiche.com> Mon, 07 September 2020 07:18 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 365AE3A160D for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 7 Sep 2020 00:18:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.749
X-Spam-Level:
X-Spam-Status: No, score=-2.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=laserfiche.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lxlTj-YBXL7W for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 7 Sep 2020 00:18:44 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2FCDB3A160C for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 7 Sep 2020 00:18:43 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1kFBQ1-0004aq-Ip for ietf-http-wg-dist@listhub.w3.org; Mon, 07 Sep 2020 07:18:25 +0000
Resent-Date: Mon, 07 Sep 2020 07:18:25 +0000
Resent-Message-Id: <E1kFBQ1-0004aq-Ip@lyra.w3.org>
Received: from www-data by lyra.w3.org with local (Exim 4.92) (envelope-from <paolo.argentieri@laserfiche.com>) id 1kFBQ0-0004Za-IY for ietf-http-wg@listhub.w3.org; Mon, 07 Sep 2020 07:18:24 +0000
Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <paolo.argentieri@laserfiche.com>) id 1kEOBu-0002qp-Dj for ietf-http-wg@listhub.w3.org; Sat, 05 Sep 2020 02:44:34 +0000
Received: from mx0a-00395901.pphosted.com ([148.163.133.164]) by titan.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <paolo.argentieri@laserfiche.com>) id 1kEOBs-0007YD-Mx for ietf-http-wg@w3.org; Sat, 05 Sep 2020 02:44:34 +0000
Received: from pps.filterd (m0172984.ppops.net [127.0.0.1]) by mx0a-00395901.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 0852esU2016386 for <ietf-http-wg@w3.org>; Fri, 4 Sep 2020 19:44:20 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=laserfiche.com; h=from : to : subject : date : message-id : content-type : content-transfer-encoding : mime-version; s=pps1; bh=OxB5fk67voC9bTzxgZkPRboNV8v0A7nJRJssBOfJF5Q=; b=pucRbsiuzbH77jcYZarTm3p2S+VYguL/kyHbcTXGctAEjNUbxgpKqscEoGbeSI3qkgyv 7pdYE/QbyDN1oBOdtinFpJdxRA46uTClKpR5Pih4LDbnReA34aD97HyIu9LDEDCLLKOj zWEtO117x/MsbXNGOrdpuzYR0cv4MbYjucidMvQjxEHAhBFUIwWQ7cFECSlh6bTmBRKS i/26GxA7AbwBt7vIMeOAxucQSt7LEAoJHPt80CXGSTE6RYEZ7PsWWVblEwrrtiwbl07D +H3WAHE9DvcF5knundjjTKagmt2eiwWH7mjLfY0bcUmzPsRG0uC/FejWJAmYydI+jbC3 1Q==
Received: from smtp.laserfiche.com (smtp.laserfiche.com [71.84.228.134]) by mx0a-00395901.pphosted.com with ESMTP id 337jrmnwdc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL) for <ietf-http-wg@w3.org>; Fri, 04 Sep 2020 19:44:20 -0700
Received: from v-exchange2016.laserfiche.com (127.0.0.1) by v-exchange2016.laserfiche.com (127.0.0.1) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2044.4; Fri, 4 Sep 2020 19:44:18 -0700
Received: from v-exchange2016.laserfiche.com ([fe80::ede2:6391:7f33:ef66]) by v-exchange2016.laserfiche.com ([fe80::ede2:6391:7f33:ef66%4]) with mapi id 15.01.2044.004; Fri, 4 Sep 2020 19:44:18 -0700
From: Paolo Argentieri <paolo.argentieri@laserfiche.com>
To: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Thread-Topic: "Origin locked" cookie prefix - draft-ietf-httpbis-rfc6265bis-06
Thread-Index: AdaDLhITApZ9D9QiQsGQE9kbe964Ww==
Date: Sat, 5 Sep 2020 02:44:18 +0000
Message-ID: <354049fc80094c0cb880d4d780ff0376@laserfiche.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [104.129.199.47]
x-c2processedorg: 96cc0e5e-91aa-499a-88f5-5c9e71ddb7d5
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235,18.0.687 definitions=2020-09-05_01:2020-09-04,2020-09-05 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 clxscore=1011 mlxscore=0 phishscore=0 bulkscore=0 priorityscore=1501 adultscore=0 lowpriorityscore=0 impostorscore=0 mlxlogscore=574 spamscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2009050025
Received-SPF: pass client-ip=148.163.133.164; envelope-from=paolo.argentieri@laserfiche.com; helo=mx0a-00395901.pphosted.com
X-W3C-Hub-Spam-Status: No, score=-4.8
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1kEOBs-0007YD-Mx 43421b2bb76651152d58c413b5618618
X-caa-id: e0b5837d2d
X-Original-To: ietf-http-wg@w3.org
Subject: "Origin locked" cookie prefix - draft-ietf-httpbis-rfc6265bis-06
Archived-At: <https://www.w3.org/mid/354049fc80094c0cb880d4d780ff0376@laserfiche.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/38023
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Hi all, first post here.

I'd like to propose a new "__Origin-" cookie prefix with "origin locked" semantic.
While it is possible to implement these cookies today, standardized user agent support would add a layer of optimization and security.

The cookie name begins with prefix "__Origin-" followed by the domain that served the parent page (the origin) and, optionally, a name postfix. Example:

Set-Cookie: __Origin-apps.contoso.com-accessToken=12345; Secure; HttpOnly; SameSite=None

A conformant user agent would ensure that the cookie will have been set with a "Secure" attribute and the domain following "__Origin-" matches the request Origin.
In addition, a conformant user agent would not send an "__Origin-" cookie if the domain in the cookie name does not match the Origin, excluding port.

A server should ignore "__Origin-"  cookies whose name doesn't match the Origin request header. This combination yields cookies that are pinned to a specific origin thus well suited to roundtrip session ids or JWTs (immune to XSS session hijacking attack).

Regards,
Paolo Argentieri