Re: "Origin locked" cookie prefix - draft-ietf-httpbis-rfc6265bis-06

Mark Nottingham <mnot@mnot.net> Mon, 07 September 2020 07:51 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D39BE3A0115 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 7 Sep 2020 00:51:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.749
X-Spam-Level:
X-Spam-Status: No, score=-2.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mnot.net header.b=RcEkmY5A; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=heehb5ou
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OnfSyVU1FpVE for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 7 Sep 2020 00:51:53 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2218D3A0112 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 7 Sep 2020 00:51:53 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1kFBua-0003Hh-UH for ietf-http-wg-dist@listhub.w3.org; Mon, 07 Sep 2020 07:50:01 +0000
Resent-Date: Mon, 07 Sep 2020 07:50:00 +0000
Resent-Message-Id: <E1kFBua-0003Hh-UH@lyra.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <mnot@mnot.net>) id 1kFBuZ-0003Gw-MO for ietf-http-wg@listhub.w3.org; Mon, 07 Sep 2020 07:49:59 +0000
Received: from wout5-smtp.messagingengine.com ([64.147.123.21]) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <mnot@mnot.net>) id 1kFBuX-0004tA-Gv for ietf-http-wg@w3.org; Mon, 07 Sep 2020 07:49:59 +0000
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.west.internal (Postfix) with ESMTP id 9D17376F; Mon, 7 Sep 2020 03:49:42 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163]) by compute4.internal (MEProxy); Mon, 07 Sep 2020 03:49:42 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mnot.net; h= content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; s=fm3; bh=9 AI4R8JNLCZ5Et6KQ8d6cv9benxe0n2vyRJV4nmXoHg=; b=RcEkmY5AL291xEb5K bo+UND+Aej4low2PwTi/ceTIdTTwVn4K4nbS38Yc3bdm/TDcvHIRLAUXPqMYrAMz /PXDXbUbQS+81rBsp759uqAdgW3njsfTSOuscRHiDMdw25TTe8y8ATiLcViyBhEF pIpK/GuEe1wiwOFh9CbWAC6nFo+rvhfCFxAFsJrMdX9lJwz7Jwe5IesF59mGuNx0 QrO1iJbWLRYGnBhJpLvmt0WwNBVdWDqd/Q/OxKmEAHQ8zAZpkR83djDZAi9MxoWH Rl2Xs09wbDNn+Jj2WgDMiUoOr144zI2C3Zvtns0xIitsmQicX0irQtk16u51kcBJ NsLuA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm3; bh=9AI4R8JNLCZ5Et6KQ8d6cv9benxe0n2vyRJV4nmXo Hg=; b=heehb5oup2Zp6LXyWbytSUgjhfzhStr16yXk1Q+egC1SCIrPuPLAAJvEZ ShyjQfysvF8CvGV0dcPsc67UhpXKKdB7AVwHtAiCofgnFwFwjafG1mVnj6EsvBjU IdCWWGUxylIa7QYxR2GhIAfgK9TzlCpvvCutKbfWLt+PKCyzyZuh5+ypdgT08ygg /183/iq78HlDGaw1W/HpuiS7zgK8ppZeanspQcwBz5Bvig1GI0RR87ac2XwTUW+n cHHt2jU3eQleAm8JGQmZdNjzEzHpDlfUGRmmrfe0K0avm4ZVwnAq+dxFFk0GNazb TfdjWLmO+OH2K6RFNcpbWcRfaUSPg==
X-ME-Sender: <xms:FeZVX99aAwYldR6BAn-53vZ0v8bjfrWOP5k8h_vyOkgNRVVK5n6_1w> <xme:FeZVXxsnnAKGgA86ND4Tq0F9UmQ5RMi1ux6xnmZiaV1wJba_O_UgJYyUy2TXgLZFX jkH_ol9hPUFBAYJiA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduiedrudegledgjeduucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurheptggguffhjgffgffkfhfvofesthhqmhdthhdtvdenucfhrhhomhepofgrrhhk ucfpohhtthhinhhghhgrmhcuoehmnhhothesmhhnohhtrdhnvghtqeenucggtffrrghtth gvrhhnpeeiheffteefteeugeeuhfejfeevtdfghefgudeggfdtleeuhfegfeevheegudel udenucffohhmrghinhephhhtthhpfihgrdhorhhgpdgtohhnthhoshhordgtohhmpdhmnh hothdrnhgvthenucfkphepudduledrudejrdduheekrddvhedunecuvehluhhsthgvrhfu ihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepmhhnohhtsehmnhhothdrnhgvth
X-ME-Proxy: <xmx:FeZVX7BA49XAqpifKVpUIgNStAJ72nHVWjnDv4XSgwwz9Ek-5C1fOA> <xmx:FeZVXxcXBMWqIrBa9wa88e2pvdrJc0kACQxdNcE4STHRQGtEoqqTaA> <xmx:FeZVXyND9AYbKAPyADgwSb5N69Zn1Atix-b0-Hem0b4rRAqxvzYuNw> <xmx:FuZVX7ZxCcnAO2JBT55oKx7YxLbaw7-DebYE4LldX1X5F4IIPNXogA>
Received: from [192.168.7.30] (119-17-158-251.77119e.mel.static.aussiebb.net [119.17.158.251]) by mail.messagingengine.com (Postfix) with ESMTPA id 6B9F5306467E; Mon, 7 Sep 2020 03:49:40 -0400 (EDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <354049fc80094c0cb880d4d780ff0376@laserfiche.com>
Date: Mon, 7 Sep 2020 17:49:37 +1000
Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <2A78A684-72AF-492A-8BF1-B9B6A76B5F99@mnot.net>
References: <354049fc80094c0cb880d4d780ff0376@laserfiche.com>
To: Paolo Argentieri <paolo.argentieri@laserfiche.com>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Received-SPF: pass client-ip=64.147.123.21; envelope-from=mnot@mnot.net; helo=wout5-smtp.messagingengine.com
X-W3C-Hub-Spam-Status: No, score=-9.8
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1kFBuX-0004tA-Gv 1811647675d9819379d30676f7812d57
X-Original-To: ietf-http-wg@w3.org
Subject: Re: "Origin locked" cookie prefix - draft-ietf-httpbis-rfc6265bis-06
Archived-At: <https://www.w3.org/mid/2A78A684-72AF-492A-8BF1-B9B6A76B5F99@mnot.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/38025
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Hi Paolo,

Are you familiar with the __Host prefix?[1]

Describing what you want to do in relation to it might be more helpful.

Also, from a procedural standpoint, we have a pretty high bar for adding new features to cookies in the current work; the proposals that are current in-scope needed to gain consensus for inclusion before we started the work. So, we'd need to see some pretty strong support for a new feature, given the state of the work.

Cheers,

1. https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#the-host-prefix



> On 5 Sep 2020, at 12:44 pm, Paolo Argentieri <paolo.argentieri@laserfiche.com> wrote:
> 
> Hi all, first post here.
> 
> I'd like to propose a new "__Origin-" cookie prefix with "origin locked" semantic.
> While it is possible to implement these cookies today, standardized user agent support would add a layer of optimization and security.
> 
> The cookie name begins with prefix "__Origin-" followed by the domain that served the parent page (the origin) and, optionally, a name postfix. Example:
> 
> Set-Cookie: __Origin-apps.contoso.com-accessToken=12345; Secure; HttpOnly; SameSite=None
> 
> A conformant user agent would ensure that the cookie will have been set with a "Secure" attribute and the domain following "__Origin-" matches the request Origin.
> In addition, a conformant user agent would not send an "__Origin-" cookie if the domain in the cookie name does not match the Origin, excluding port.
> 
> A server should ignore "__Origin-"  cookies whose name doesn't match the Origin request header. This combination yields cookies that are pinned to a specific origin thus well suited to roundtrip session ids or JWTs (immune to XSS session hijacking attack).
> 
> Regards,
> Paolo Argentieri
> 
> 

--
Mark Nottingham   https://www.mnot.net/