IETF Logo Mail Archive

Re: [OAUTH-WG] Cookies & headers in OAuth 2.0 Security Best Current Practice?

Neil Madden <neil.e.madden@gmail.com> Mon, 06 November 2023 14:10 UTC

Return-Path: <neil.e.madden@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC5C6C18771D for <oauth@ietfa.amsl.com>; Mon, 6 Nov 2023 06:10:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.105
X-Spam-Level:
X-Spam-Status: No, score=-1.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T0OPrkzonLTP for <oauth@ietfa.amsl.com>; Mon, 6 Nov 2023 06:10:49 -0800 (PST)
Received: from mail-wm1-x32c.google.com (mail-wm1-x32c.google.com [IPv6:2a00:1450:4864:20::32c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F5E6C1B0312 for <oauth@ietf.org>; Mon, 6 Nov 2023 06:10:49 -0800 (PST)
Received: by mail-wm1-x32c.google.com with SMTP id 5b1f17b1804b1-407acb21f27so2725325e9.0 for <oauth@ietf.org>; Mon, 06 Nov 2023 06:10:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1699279847; x=1699884647; darn=ietf.org; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=GdCOi2S/DICDrHJd+URs1630f/5Ht2b3/zzY4JwASFg=; b=ZqGdIOP/uCuO9cT6jSz11u04Lkn2lTG8KPhmnQIhvcCDw8jv6lDXWIUwm1AHpN65Mu JeHXwYlYK2l1zX0RHIenr94qYHUtKDVtPaIurRKVPMHjpkAMJW6PwIKfqO2hrn44nXco EOBGG+FfxHLKzyM/pHYw3uSajo82He/OOQxU0omQnqUdbG5CH3FrmOnqBo6mi5H/abJS HMai01ovjfp1DLTm7ra4OUp5LxUz9siFfY5sgn7msivm6qvqROAs8ON+1MoI5jBHczPa On/uRsKGgNfBkrhIhX6Nrh1K3o4jHRm5zW3R92T3azl+VXXN550WF1X9y6WHJH9l9YRs YGXA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699279847; x=1699884647; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=GdCOi2S/DICDrHJd+URs1630f/5Ht2b3/zzY4JwASFg=; b=YjcJg0YTudungeFson0o0vKNDIkWPJYHyH+R7/PUyXDXpQgxTxLi9RfJvlp16VzcJd OZubJeWk6PlguKO5Tj7s+ujORihGNK1g06qNibIIMgaKRoKkzo+Lbz5a0JMEfotYRgjz xKvHbS68mklYtl4GDJb1cbys5bpgk9+zYM1X39hkGjSxxS+EOTCbhvGpY9x7nekBB64o 1z8LFv4FvPpqpEZ7TpDfJB416/ZN7GEWPNUer0bR2FSpnIpSHFbphSiFjMg+5Qg32VUq OjVT5T5pFMawd7fDM6v3YzQqsNHAZQyu5h2xoyf70ixRIn5nIKA80xYFJFc6ZEcpHBBO IQ1g==
X-Gm-Message-State: AOJu0YwzG7/YWZGaD8z8nQAnH6J9camOu6xBm3RgWdV5d2XDugSPrRZv +69qUql70Nr1OrccFzpKLh8=
X-Google-Smtp-Source: AGHT+IGkaF8ClVI8PQAgJdcG3x+dCibAbh02GCLAn7UgrL9seSdGiArtmHjstInME43wYpBp0SCWPw==
X-Received: by 2002:a05:600c:1c21:b0:401:7d3b:cc84 with SMTP id j33-20020a05600c1c2100b004017d3bcc84mr23814056wms.0.1699279847183; Mon, 06 Nov 2023 06:10:47 -0800 (PST)
Received: from smtpclient.apple ([185.147.91.181]) by smtp.gmail.com with ESMTPSA id gw21-20020a05600c851500b004064741f855sm12086509wmb.47.2023.11.06.06.10.08 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 06 Nov 2023 06:10:31 -0800 (PST)
From: Neil Madden <neil.e.madden@gmail.com>
Message-Id: <C3E1A2E4-AFE0-4C85-8F53-0C1C0154107A@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_90A02C64-0588-4BEC-9E7E-F67F0CE336F1"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6\))
Date: Mon, 06 Nov 2023 14:09:58 +0000
In-Reply-To: <CAD9ie-sfrzEMvS8yk49XSNfvwRbcj1tPKfmNxC97VAF4pRqcfg@mail.gmail.com>
Cc: Aaron Parecki <aaron=40parecki.com@dmarc.ietf.org>, Daniel Fett <fett=40danielfett.de@dmarc.ietf.org>, oauth@ietf.org
To: "dick.hardt" <Dick.Hardt@gmail.com>
References: <CAD9ie-sh0qnGzg5VwU_enq2Br9hH5zgm86z9i7vdMj_uQs=4yA@mail.gmail.com> <CAGBSGjrMDrXMd2ApKmLn_LVgMSLME-wvHqPCTpzgDxk5_+kRSA@mail.gmail.com> <f6383d62-9586-49c9-a824-9d92288ee4bd@danielfett.de> <CAGBSGjqe2HjJuh6OgJy5VU+w8HRyu159uJtMnmXS+LPWg_LphA@mail.gmail.com> <CAD9ie-sfrzEMvS8yk49XSNfvwRbcj1tPKfmNxC97VAF4pRqcfg@mail.gmail.com>
X-Mailer: Apple Mail (2.3731.700.6)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/JRQ-UNNGK7nMp7np_uhftlayEEs>
Subject: Re: [OAUTH-WG] Cookies & headers in OAuth 2.0 Security Best Current Practice?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Nov 2023 14:10:53 -0000

Although I think we could add some basic advice, the list of security headers to use is still evolving. For example, there were several headers added after Spectre to limit cross-site interactions. And then there’s things like the “X-XSS-Protection” header, which was best practice to add to responses not too long ago but has now been universally removed from browsers as it enabled certain content disclosure attacks.

Cookie security attributes are perhaps a bit more stable, but in general we probably just want to point people at “living” guidance like OWASP.

— Neil

> On 5 Nov 2023, at 19:28, Dick Hardt <dick.hardt@gmail.com> wrote:
> 
> The cookie and header recommendations I am thinking of would be for the AS as well as the client. 
> 
> A number of XSS attacks can be thwarted by a modern browser and the right HTTP headers.
> 
> My question is: Did the authors consider adding cookie and header recommendations, and decided it was too general? 
> 
> Cookie and header best security practices have been around for years -- I'm not suggesting we make anything up -- I'm suggesting we raise awareness. 
> 
> I consider myself to be fairly security aware, and I was not aware of some of the HTTP headers that are best security practice. 
> 
> /Dick
> 
> 
> On Sun, Nov 5, 2023 at 11:19 AM Aaron Parecki <aaron=40parecki.com@dmarc.ietf.org <mailto:40parecki.com@dmarc.ietf.org>> wrote:
>> I don't think it's necessary to say "do the right things with cookies" in the Security BCP. The Browser Apps BCP has a much deeper discussion of how different browser-based architectures work with cookies so that seems like a better place to actually have a real discussion about it.
>> 
>> Also +1 to what Daniel said about not continuing to add little things. Plus I think it's too late anyway, publication has already been requested for the Security BCP.
>> 
>> Aaron
>> 
>> On Sun, Nov 5, 2023 at 11:14 AM Daniel Fett <fett=40danielfett.de@dmarc.ietf.org <mailto:40danielfett.de@dmarc.ietf.org>> wrote:
>>> I agree with Aaron! 
>>> 
>>> Also we should be very careful about any additions to the Security BCP at this point. It is very easy to re-start the "one more thing" loop we've been stuck in for the last years. There may be more useful things to say, but we should put them on the list for a future second version of the BCP.
>>> 
>>> -Daniel
>>> 
>>> Am 05.11.23 um 20:03 schrieb Aaron Parecki:
>>>> I don't think the Security BCP should incorporate cookie best practices directly in the document. If anything, it sounds like possibly a candidate for inclusion in the Browser Apps BCP. 
>>>> 
>>>> There are already some mentions of these cookie properties mentioned in the Browser Apps BCP, though only in reference to specific architectures, not as a general best practice. For example:
>>>> 
>>>> https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-15.html#pattern-bff-cookie-security
>>>> 
>>>> Aaron
>>>> 
>>>> On Sun, Nov 5, 2023 at 10:48 AM Dick Hardt <dick.hardt@gmail.com <mailto:dick.hardt@gmail.com>> wrote:
>>>>> Hey
>>>>> 
>>>>> I was reviewing security on some sites I managed and checked to see if the recommendations were in the BCP.
>>>>> 
>>>>> I don't see anything around cookies such as httpOnly, sameSite, secure. 
>>>>> 
>>>>> I saw some HTTP security header suggestions buried in 4.16 (X-Frame-Options, CSP), but not for Strict-Transport-Security, Permissions-Policy, or X-Content-Type-Options, and the CSP guidance is rather vague.
>>>>> 
>>>>> I understand these are general web security best practices, and perhaps I missed it, but I think it would be useful to call out that best security practices around cookies and headers should also be followed in Section 2, and either have the best practices included, or direct the reader where to find them.
>>>>> 
>>>>> /Dick
>>>>> 
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>> 
>>>> 
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/oauth
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email