Re: "Origin locked" cookie prefix - draft-ietf-httpbis-rfc6265bis-06

Mark Nottingham <> Mon, 07 September 2020 07:51 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D39BE3A0115 for <>; Mon, 7 Sep 2020 00:51:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.749
X-Spam-Status: No, score=-2.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key) header.b=RcEkmY5A; dkim=pass (2048-bit key) header.b=heehb5ou
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id OnfSyVU1FpVE for <>; Mon, 7 Sep 2020 00:51:53 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2218D3A0112 for <>; Mon, 7 Sep 2020 00:51:53 -0700 (PDT)
Received: from lists by with local (Exim 4.92) (envelope-from <>) id 1kFBua-0003Hh-UH for; Mon, 07 Sep 2020 07:50:01 +0000
Resent-Date: Mon, 07 Sep 2020 07:50:00 +0000
Resent-Message-Id: <>
Received: from ([]) by with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <>) id 1kFBuZ-0003Gw-MO for; Mon, 07 Sep 2020 07:49:59 +0000
Received: from ([]) by with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <>) id 1kFBuX-0004tA-Gv for; Mon, 07 Sep 2020 07:49:59 +0000
Received: from compute4.internal (compute4.nyi.internal []) by mailout.west.internal (Postfix) with ESMTP id 9D17376F; Mon, 7 Sep 2020 03:49:42 -0400 (EDT)
Received: from mailfrontend2 ([]) by compute4.internal (MEProxy); Mon, 07 Sep 2020 03:49:42 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; h= content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; s=fm3; bh=9 AI4R8JNLCZ5Et6KQ8d6cv9benxe0n2vyRJV4nmXoHg=; b=RcEkmY5AL291xEb5K bo+UND+Aej4low2PwTi/ceTIdTTwVn4K4nbS38Yc3bdm/TDcvHIRLAUXPqMYrAMz /PXDXbUbQS+81rBsp759uqAdgW3njsfTSOuscRHiDMdw25TTe8y8ATiLcViyBhEF pIpK/GuEe1wiwOFh9CbWAC6nFo+rvhfCFxAFsJrMdX9lJwz7Jwe5IesF59mGuNx0 QrO1iJbWLRYGnBhJpLvmt0WwNBVdWDqd/Q/OxKmEAHQ8zAZpkR83djDZAi9MxoWH Rl2Xs09wbDNn+Jj2WgDMiUoOr144zI2C3Zvtns0xIitsmQicX0irQtk16u51kcBJ NsLuA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm3; bh=9AI4R8JNLCZ5Et6KQ8d6cv9benxe0n2vyRJV4nmXo Hg=; b=heehb5oup2Zp6LXyWbytSUgjhfzhStr16yXk1Q+egC1SCIrPuPLAAJvEZ ShyjQfysvF8CvGV0dcPsc67UhpXKKdB7AVwHtAiCofgnFwFwjafG1mVnj6EsvBjU IdCWWGUxylIa7QYxR2GhIAfgK9TzlCpvvCutKbfWLt+PKCyzyZuh5+ypdgT08ygg /183/iq78HlDGaw1W/HpuiS7zgK8ppZeanspQcwBz5Bvig1GI0RR87ac2XwTUW+n cHHt2jU3eQleAm8JGQmZdNjzEzHpDlfUGRmmrfe0K0avm4ZVwnAq+dxFFk0GNazb TfdjWLmO+OH2K6RFNcpbWcRfaUSPg==
X-ME-Sender: <xms:FeZVX99aAwYldR6BAn-53vZ0v8bjfrWOP5k8h_vyOkgNRVVK5n6_1w> <xme:FeZVXxsnnAKGgA86ND4Tq0F9UmQ5RMi1ux6xnmZiaV1wJba_O_UgJYyUy2TXgLZFX jkH_ol9hPUFBAYJiA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduiedrudegledgjeduucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurheptggguffhjgffgffkfhfvofesthhqmhdthhdtvdenucfhrhhomhepofgrrhhk ucfpohhtthhinhhghhgrmhcuoehmnhhothesmhhnohhtrdhnvghtqeenucggtffrrghtth gvrhhnpeeiheffteefteeugeeuhfejfeevtdfghefgudeggfdtleeuhfegfeevheegudel udenucffohhmrghinhephhhtthhpfihgrdhorhhgpdgtohhnthhoshhordgtohhmpdhmnh hothdrnhgvthenucfkphepudduledrudejrdduheekrddvhedunecuvehluhhsthgvrhfu ihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepmhhnohhtsehmnhhothdrnhgvth
X-ME-Proxy: <xmx:FeZVX7BA49XAqpifKVpUIgNStAJ72nHVWjnDv4XSgwwz9Ek-5C1fOA> <xmx:FeZVXxcXBMWqIrBa9wa88e2pvdrJc0kACQxdNcE4STHRQGtEoqqTaA> <xmx:FeZVXyND9AYbKAPyADgwSb5N69Zn1Atix-b0-Hem0b4rRAqxvzYuNw> <xmx:FuZVX7ZxCcnAO2JBT55oKx7YxLbaw7-DebYE4LldX1X5F4IIPNXogA>
Received: from [] ( []) by (Postfix) with ESMTPA id 6B9F5306467E; Mon, 7 Sep 2020 03:49:40 -0400 (EDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.\))
From: Mark Nottingham <>
In-Reply-To: <>
Date: Mon, 7 Sep 2020 17:49:37 +1000
Cc: "" <>
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <>
To: Paolo Argentieri <>
X-Mailer: Apple Mail (2.3608.
Received-SPF: pass client-ip=;;
X-W3C-Hub-Spam-Status: No, score=-9.8
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: 1kFBuX-0004tA-Gv 1811647675d9819379d30676f7812d57
Subject: Re: "Origin locked" cookie prefix - draft-ietf-httpbis-rfc6265bis-06
Archived-At: <>
X-Mailing-List: <> archive/latest/38025
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>

Hi Paolo,

Are you familiar with the __Host prefix?[1]

Describing what you want to do in relation to it might be more helpful.

Also, from a procedural standpoint, we have a pretty high bar for adding new features to cookies in the current work; the proposals that are current in-scope needed to gain consensus for inclusion before we started the work. So, we'd need to see some pretty strong support for a new feature, given the state of the work.



> On 5 Sep 2020, at 12:44 pm, Paolo Argentieri <> wrote:
> Hi all, first post here.
> I'd like to propose a new "__Origin-" cookie prefix with "origin locked" semantic.
> While it is possible to implement these cookies today, standardized user agent support would add a layer of optimization and security.
> The cookie name begins with prefix "__Origin-" followed by the domain that served the parent page (the origin) and, optionally, a name postfix. Example:
> Set-Cookie:; Secure; HttpOnly; SameSite=None
> A conformant user agent would ensure that the cookie will have been set with a "Secure" attribute and the domain following "__Origin-" matches the request Origin.
> In addition, a conformant user agent would not send an "__Origin-" cookie if the domain in the cookie name does not match the Origin, excluding port.
> A server should ignore "__Origin-"  cookies whose name doesn't match the Origin request header. This combination yields cookies that are pinned to a specific origin thus well suited to roundtrip session ids or JWTs (immune to XSS session hijacking attack).
> Regards,
> Paolo Argentieri

Mark Nottingham