Re: [OAUTH-WG] Cookies & headers in OAuth 2.0 Security Best Current Practice?
Aaron Parecki <aaron@parecki.com> Sun, 05 November 2023 19:03 UTC
Return-Path: <aaron@parecki.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B010C1C02D6 for <oauth@ietfa.amsl.com>; Sun, 5 Nov 2023 11:03:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=parecki.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yLeHtDVqu_ip for <oauth@ietfa.amsl.com>; Sun, 5 Nov 2023 11:03:46 -0800 (PST)
Received: from mail-vk1-xa35.google.com (mail-vk1-xa35.google.com [IPv6:2607:f8b0:4864:20::a35]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 978DCC1D46FA for <oauth@ietf.org>; Sun, 5 Nov 2023 11:03:46 -0800 (PST)
Received: by mail-vk1-xa35.google.com with SMTP id 71dfb90a1353d-4ac459d7962so265536e0c.1 for <oauth@ietf.org>; Sun, 05 Nov 2023 11:03:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki.com; s=google; t=1699211025; x=1699815825; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=WEd5E7J2HKWnV9BYEvunO1id0ljNtdbabP5pXLbQELA=; b=XLkllp/h/7F5RGWtWvP1RWoml2U4vgynJm1nEnv5TFUdPPpSPrAButSQdTEKLLl3P4 NPMP/dF/FTW9PT5sJhaGHG0bc4wyur4oeQIKQ8dK8FVTvk025Ko99GKLvUvTSp9w450p aQyUuINFVRhqnNp2KpfWCQUyehTBTINAjXP8r3x2Fj+KOMFOh4DYqi30ejBMjR7PvMtz ZU4DKEKWEjP75J2la0uVYx/Lm7Q4+ov2WJNy1AhXsX9Bip5L5WZOGYkfqF+rfNTcbSze hhfcVEj5yBEK8yOGeHgUfHK2pfVNTXXx45OdfM7qJOlkcPamQSnMkP8KHwSV92Um5M/S 9S6Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699211025; x=1699815825; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=WEd5E7J2HKWnV9BYEvunO1id0ljNtdbabP5pXLbQELA=; b=UuTt+UVtD2EC99pNXWUsA14Zg3TwnGS5WL+9Mols7Uj075lIO8AeAX4DGW7W84FgeX nGa+Sxlws+0J6iFHtJh/dz5IUVJisveO0QIqaXyAcDf+rSnBySF9mlzWK/J8F+pzBQzd zLLkBdvuDqsThIY2Ox0ihk0050eH3lPj+qnqm8rHYgnGHtZeLorxmSOpr/qZo7delbSI V0XMcgk7Xyf2029DCROxp9WZ67VshvltKYXf+MDbeyABUEur8CaVgRAIVUxaF8K1Gfxz MF5ZU5gmMLXXz/j0fiL7BzCj47j/1TI+YuGtV9lCLkYePmC6xaOmaG7S2Q/JMgvpzBhT R5Pw==
X-Gm-Message-State: AOJu0YwDuz3O8/2t2CsxXc6gj5JUEOxA+10DPsPF2Hlvk/bBNAMkCb7P fscVEN4rBlyL0GvGjhXmL6nh/KuOYkgiGT2Abi7G/QrT
X-Google-Smtp-Source: AGHT+IHSmtGP65a232Yo4zbyud7WWjCShRVZnXqxtEP6UcW5soqf+SwYEQgPZYfQKyXtzf+qd5hz5A==
X-Received: by 2002:a1f:9d82:0:b0:4ab:ebf3:e518 with SMTP id g124-20020a1f9d82000000b004abebf3e518mr4441339vke.1.1699211024837; Sun, 05 Nov 2023 11:03:44 -0800 (PST)
Received: from mail-vk1-f181.google.com (mail-vk1-f181.google.com. [209.85.221.181]) by smtp.gmail.com with ESMTPSA id s133-20020a1ff48b000000b0049d28bbb8e8sm1247151vkh.32.2023.11.05.11.03.44 for <oauth@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 05 Nov 2023 11:03:44 -0800 (PST)
Received: by mail-vk1-f181.google.com with SMTP id 71dfb90a1353d-4ac0719457bso1240867e0c.0 for <oauth@ietf.org>; Sun, 05 Nov 2023 11:03:44 -0800 (PST)
X-Received: by 2002:a67:c39d:0:b0:45d:adc4:cc80 with SMTP id s29-20020a67c39d000000b0045dadc4cc80mr2520815vsj.8.1699211024075; Sun, 05 Nov 2023 11:03:44 -0800 (PST)
MIME-Version: 1.0
References: <CAD9ie-sh0qnGzg5VwU_enq2Br9hH5zgm86z9i7vdMj_uQs=4yA@mail.gmail.com>
In-Reply-To: <CAD9ie-sh0qnGzg5VwU_enq2Br9hH5zgm86z9i7vdMj_uQs=4yA@mail.gmail.com>
From: Aaron Parecki <aaron@parecki.com>
Date: Sun, 05 Nov 2023 11:03:32 -0800
X-Gmail-Original-Message-ID: <CAGBSGjrMDrXMd2ApKmLn_LVgMSLME-wvHqPCTpzgDxk5_+kRSA@mail.gmail.com>
Message-ID: <CAGBSGjrMDrXMd2ApKmLn_LVgMSLME-wvHqPCTpzgDxk5_+kRSA@mail.gmail.com>
To: Dick.Hardt@gmail.com
Cc: oauth@ietf.org
Content-Type: multipart/alternative; boundary="0000000000007d198d06096c6523"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/6muKLUt0SwdqjlTmivk71WDjc2Y>
Subject: Re: [OAUTH-WG] Cookies & headers in OAuth 2.0 Security Best Current Practice?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 05 Nov 2023 19:03:50 -0000
I don't think the Security BCP should incorporate cookie best practices directly in the document. If anything, it sounds like possibly a candidate for inclusion in the Browser Apps BCP. There are already some mentions of these cookie properties mentioned in the Browser Apps BCP, though only in reference to specific architectures, not as a general best practice. For example: https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-15.html#pattern-bff-cookie-security Aaron On Sun, Nov 5, 2023 at 10:48 AM Dick Hardt <dick.hardt@gmail.com> wrote: > Hey > > I was reviewing security on some sites I managed and checked to see if the > recommendations were in the BCP. > > I don't see anything around cookies such as httpOnly, sameSite, secure. > > I saw some HTTP security header suggestions buried in 4.16 > (X-Frame-Options, CSP), but not for Strict-Transport-Security, > Permissions-Policy, or X-Content-Type-Options, and the CSP guidance is > rather vague. > > I understand these are general web security best practices, and perhaps I > missed it, but I think it would be useful to call out that best security > practices around cookies and headers should also be followed in Section 2, > and either have the best practices included, or direct the reader where to > find them. > > /Dick > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- Re: [OAUTH-WG] Cookies & headers in OAuth 2.0 Sec… Dick Hardt
- [OAUTH-WG] Cookies & headers in OAuth 2.0 Securit… Dick Hardt
- Re: [OAUTH-WG] Cookies & headers in OAuth 2.0 Sec… Aaron Parecki
- Re: [OAUTH-WG] Cookies & headers in OAuth 2.0 Sec… Daniel Fett
- Re: [OAUTH-WG] Cookies & headers in OAuth 2.0 Sec… Aaron Parecki
- Re: [OAUTH-WG] Cookies & headers in OAuth 2.0 Sec… Dick Hardt
- Re: [OAUTH-WG] Cookies & headers in OAuth 2.0 Sec… Dick Hardt
- Re: [OAUTH-WG] Cookies & headers in OAuth 2.0 Sec… Dick Hardt
- Re: [OAUTH-WG] Cookies & headers in OAuth 2.0 Sec… Neil Madden
- Re: [OAUTH-WG] Cookies & headers in OAuth 2.0 Sec… Neil Madden
- Re: [OAUTH-WG] Cookies & headers in OAuth 2.0 Sec… Giuseppe De Marco
- Re: [OAUTH-WG] Cookies & headers in OAuth 2.0 Sec… Dick Hardt
- Re: [OAUTH-WG] Cookies & headers in OAuth 2.0 Sec… Philippe De Ryck
- Re: [OAUTH-WG] Cookies & headers in OAuth 2.0 Sec… Dick Hardt
- Re: [OAUTH-WG] Cookies & headers in OAuth 2.0 Sec… Philippe De Ryck
- Re: [OAUTH-WG] Cookies & headers in OAuth 2.0 Sec… Dick Hardt
- Re: [OAUTH-WG] Cookies & headers in OAuth 2.0 Sec… Philippe De Ryck