[OAUTH-WG] Re: OAuth for Browser-Based Apps BCP

Deb Cooley <debcooley1@gmail.com> Mon, 06 July 2026 20:13 UTC

Return-Path: <debcooley1@gmail.com>
X-Original-To: oauth@mail2.ietf.org
Delivered-To: oauth@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 8223B110F2E8E for <oauth@mail2.ietf.org>; Mon, 6 Jul 2026 13:13:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1783368794; bh=fR2BWeuCN3Cb38f3iTMPhekXzRyJ8s73nRgscWfQuBI=; h=References:In-Reply-To:From:Date:Subject:To:Cc; b=kDTgkjQ/Cfu8nb0ymC2iG4Ebvb9zRU6a/GJoC/RofoSJuxbNR7pDFJKDiHv46wNhK lkRlVSPtm3AlGE5XHH4AqZeNx4jHClUa0+MoSOHj5EWnw8syT79o7YnAsTwVvdBsEa 2GZ/H5aUuwNDrpG7gAvzV+xgqemz89fBUds5akcc=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.848
X-Spam-Level:
X-Spam-Status: No, score=-1.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vx_dUt9MXsDB for <oauth@mail2.ietf.org>; Mon, 6 Jul 2026 13:13:13 -0700 (PDT)
Received: from mail-pj1-x1035.google.com (mail-pj1-x1035.google.com [IPv6:2607:f8b0:4864:20::1035]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 19322110E91E6 for <oauth@ietf.org>; Mon, 6 Jul 2026 12:56:34 -0700 (PDT)
Received: by mail-pj1-x1035.google.com with SMTP id 98e67ed59e1d1-37fc02e660bso2759817a91.0 for <oauth@ietf.org>; Mon, 06 Jul 2026 12:56:34 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1783367793; cv=none; d=google.com; s=arc-20260327; b=qOR/5a9K6OcmfstFAL9RTZX6sG9tuTRhUmy5raU8hZX3uy45vD6BY+PSN1ALk46ZSO 5a+A3nMjIELwZeYGzxkmAZIWxw3KPbjXbwprAc1UJMrPacHgSkspU4lUmfvF5W5xr0e/ KuWwKH593SXyFbpIEHePmZJAVsxEpQI9ilpDvWWZjKdP1TrjetZvwBwcybqd92iiNOXz 5u5WCZozcOzs5ZpNNnt/Zy7ERokg4xP1LG7M+pPnaa6AAEd232iDz8YLT94XZ55S5FHY vHceUpPQC+1mCUYNp+WxVaB3g06/Sm2v363Ob1XwnnL79mC8BPPzcLn7Z/dEqt6tHBZx e7qA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20260327; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=GuhkJ+cVoez5nW+gljxN7jYMBrO10BYEFwpP/znK9oA=; fh=Q0+GzUMZ+FCRZ4tO/GzB8cjK0StF1xtcrIKvdOaRmSI=; b=o/h/LKny6o7++3UMRh1PPcf1uZoUR4t9dFjmaqpH8n8TD7BWp4f4r8t3ojkAw+Dw1W r0qpYhXlX1f+hro4YImoDYvvKWnWJ1qxcqcPEEmtDBIpI/5tTp+qPkbXz9ftHc0P7xes yqbdHhHPYmdFOTu05RbdwC8DmaUZ4dJGYpOo7eacDT0tJdI10SkiCWpoW+MWpd4D++ay 4oEsRE2EYLr1FQjVDl4jk+0q0l4Dl6j2kwusqaFdlizhI5xQEpRRknHW0/nJ66GXho4D uEickEgnyfDsTzEsFnrMvcbfofy6B4rnxcNJMVUHdairx4/bD0A4LmfLcgh3gW3T4rmU jdoQ==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1783367793; x=1783972593; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=GuhkJ+cVoez5nW+gljxN7jYMBrO10BYEFwpP/znK9oA=; b=eJXPoW6lIbMlJeisH+a7Nqnvv33utXT29pYIr8QUp/Bm32Bin26QeA6YpoxQU+TIN3 7wen134h2k9Z7rLr/AKlKu9V+BO1yT1wp/b6hjFSJlrz1ReDRkXmz/PlODmwrMgWTF+X 87Qo3sFTxUW/mNztEE3Ea7UanbihbIWC22O9/3oXqq7j4/cAJ13T3/qhE+5RsOLbnkaK jDcTdwNp4B+L0FKC3/IQCFJNLQ/lQbPLjiaXEFPuwp6L2rJYixlGdU5SMPgfkLoAw15r xXo4NbaEIv86TCo+UXFEl8iDKsNnOBok6evtapyjygK/+VSQxwTx3y/6FMPuD8HnA6zq lHOQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1783367793; x=1783972593; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=GuhkJ+cVoez5nW+gljxN7jYMBrO10BYEFwpP/znK9oA=; b=AU8lPih6mtHCrSq+cJfUV211xMK+3oSWkvR9kIAP09eQYTOA7cyqHrBl20h9UHOM6U hsb2rB+PBjOcs5gpwHw67x4nljWdr8h4cD3/iqFGv2CipELoxHdLxD2ubvYVq/07QLdx a0uGbVJi7KR2Vj//dlSBE3lwM6yoOL+evaf3/DrKYXLBW3dZbJ3lRGVoBC3emOyXVrhk eYaldn5eML7dVlAIrVSE6mdlDBYvbLxDQqLa1UPcwkaJSCHB6A+U9Nl86Cxh6YXnRQlf iBWCBvKGDg9xePG919sCIQTr3oqJh9RtOdEVawa6vyLfiuRs8bXhF070VRfbdYBGn3ro bAMQ==
X-Gm-Message-State: AOJu0YxOgioodrNKCvVHTU4jYBDlx18JaNj1Al0+NzqVgdEvinqCXtd/ +U+Z02pZFwiI2Vy8yu6xKBBNe44I7++AQiPO0okYW8dNP7cS100Y3ivj8E1IBC13h/uBXKbSjWc i3XC7Q7nGyznOx4rGg0P6Klnqke227Q==
X-Gm-Gg: AfdE7cmWdsceq2YAf2iXABfz4hpqSCzaG9i0cFgbWAyOf69w5DvRcW7MYcOvmcDGBHa zzRysHbX5dnKW+HkqgO418GPjnbjwFGjdbHRTMXA9bf3opRmIVROWmzBKc2njNToa3LQ3GaQbU/ 4QFIowCjmMjesIFESdwyhjUYjpaLJ8lfQHEiJr/lEQ6X+kzndbBY3WYa8CYEQmvTZIV/1biwjx0 8eRon2x2V5kK9HoubY2/Mjwj+Kj/ohj3ZxtplxI4g75D5rhOCPw6faf4EkIPPJfVJaYW76OQ+UG 8IvW1zHsWVOpnf7lFVu87qJUlc0ypFiQCaEmKZiyd06YNAHIkj7nxT9DVfXOL+y+hziRoKBfgEl OTFgsXCyvJ0d9KrjmLawqupqz6Q==
X-Received: by 2002:a05:6a21:60c8:b0:3bf:edfb:62f0 with SMTP id adf61e73a8af0-3c08eff6dbcmr2535521637.55.1783367793103; Mon, 06 Jul 2026 12:56:33 -0700 (PDT)
MIME-Version: 1.0
References: <CAGBSGjrufOEq3H6fpTcU9BfpJvQAb1Wd2+WYZQs5r0XosU4Otg@mail.gmail.com> <39C98C88-422D-4A08-90C1-9FC7C3185AE9@runbox.eu> <CAFP9GX_HeHCVV1K4o6EhTXKAQjbt7zxDAwqRAbosjqTyPF5-Yg@mail.gmail.com> <5D6D49B6-5AB6-4325-85EB-A5882C2E1DDA@pragmaticwebsecurity.com> <CAGBSGjqhg6HLk57SiFQYsRSQxvxAr+ouZPhmovf_uhr9LZhWkQ@mail.gmail.com>
In-Reply-To: <CAGBSGjqhg6HLk57SiFQYsRSQxvxAr+ouZPhmovf_uhr9LZhWkQ@mail.gmail.com>
From: Deb Cooley <debcooley1@gmail.com>
Date: Mon, 06 Jul 2026 15:56:21 -0400
X-Gm-Features: AVVi8CdlsRJbX6qde3_CbybDg9p2W-GjqETRDspAaSwWLyTtMoSh7kbT91NkYCM
Message-ID: <CAGgd1OfTxv0VN6Nop4=odddFZMaKoMjtuz8M9M+jz8W9H7VGSQ@mail.gmail.com>
To: Aaron Parecki <aaron@parecki.com>
Content-Type: multipart/alternative; boundary="000000000000cfd61e0655f6ab63"
Message-ID-Hash: USS2CPSUVYOXPULZU65XKY524DUZ4YYB
X-Message-ID-Hash: USS2CPSUVYOXPULZU65XKY524DUZ4YYB
X-MailFrom: debcooley1@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: OAuth WG <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: OAuth for Browser-Based Apps BCP
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/VOWGSOYiy3EP7A-fwpPQnLZRDPw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

If the working group agrees (It looked good to me?), I'd push out a new
version.  That will get the attention of the RFC Editor who will tell us
what needs to happen next.

The ID submission system closes today...

Deb

On Wed, Jul 1, 2026 at 7:04 PM Aaron Parecki <aaron@parecki.com> wrote:

> It sounds like there is general agreement on this approach. The change is
> sitting in a PR right now:
>
> https://github.com/oauth-wg/oauth-browser-based-apps/pull/112/changes
>
> I will need advice from the chairs or AD on how to proceed here. I am
> hoping to resolve this without working group time in Vienna since the
> agenda is going to be extremely full.
>
> Aaron
>
>
>
>
> On Sat, Jun 27, 2026 at 12:28 AM Philippe De Ryck <
> philippe@pragmaticwebsecurity.com> wrote:
>
>> Enforcing the __Host-Http- prefix not only affects JS readability, but
>> also writeability from JS (e.g., an attacker writing a cookie through an
>> XSS attack vector). That’s why the spec explicitly states
>>
>> This helps developers and server operators to know that the cookie was
>> set using a Set-Cookie header
>>
>>
>> These prefixes are minor tweaks to the security model of the web, but
>> they do offer benefits and exist for a reason. These should become the
>> default for all cookies used, but each time I cover this topic in training,
>> almost no-one knows about cookie prefixes. It would be a bit of a missed
>> opportunity to release a browser-oriented spec without recommending the
>> best practices currently available, hence my request to update.
>>
>> Looking forward to finalizing the Browser-based apps BCP
>>
>> Philippe
>>
>> —
>> *Pragmatic Web Security*
>> *Security for developers*
>> https://pragmaticwebsecurity.com
>>
>> On 27 Jun 2026, at 04:03, Dhruv Agnihotri <dagni@umich.edu> wrote:
>>
>> +1 to publishing. The "for example" softening is the right call.
>>
>> On Neil's question, I read the new prefix as adding a property, though a
>> narrow one, and the "why did HTTPbis add these" question is answered by
>> design rather than by attack.
>>
>> The layered-cookies draft is structured as orthogonal, composable prefix
>> primitives: `__Host-` enforces origin scoping (Secure + Path=/ + no
>> Domain), `__Http-` enforces non-JS-readability (Secure + HttpOnly), and
>> `__Host-Http-` composes both. Over the existing `__Host-` plus the BCP's
>> `MUST HttpOnly`, the property `__Host-Http-` adds is that HttpOnly
>> enforcement moves from server-side policy to user-agent rejection —
>> layered-cookies §4.1.3.4 plus the cookie filtering algorithm has the UA
>> drop a `__Host-Http-`-named cookie that arrives without HttpOnly.
>>
>> For a spec-compliant deployment this changes nothing; for an operator
>> regression (misconfigured framework, alternate session code path, a
>> downgraded middleware that silently drops the flag) it's a UA-side catch in
>> browsers that have shipped the prefix. So no new attack class against the
>> BCP-conformant baseline, but a defense-in-depth layer for the case the MUST
>> is unintentionally violated.
>>
>> On that basis the example framing reads right: worth pointing at as the
>> direction of travel, not worth making the BCP's binding analysis depend on.
>>
>> (I covered the BFF section of -26 in an *InfoQ* piece earlier this year,
>> "*The DPoP Storage Paradox*
>> <https://www.infoq.com/articles/dpop-key-storage-unsolved-problem/>",
>> happy to dig into specifics on or off list if useful.)
>>
>> Dhruv Agnihotri
>> dagni@umich.edu
>>
>>
>> On Fri, Jun 26, 2026 at 3:19 AM Neil Madden <neil.e.madden@runbox.eu>
>> wrote:
>>
>>>
>>>
>>> > On 26 Jun 2026, at 00:50, Aaron Parecki <aaron=
>>> 40parecki.com@dmarc.ietf.org> wrote:
>>> >
>>> > Hi all,
>>> >
>>> > As you probably know, the "OAuth for Browser-Based Apps BCP" document
>>> has been stuck in the editor's queue for almost a year waiting on the
>>> publication of RFC6265bis. In the meantime, the HTTPbis working group has
>>> revised the recommendation in RFC6265bis that we reference, changing the
>>> recommendation from prefixing cookies with "__Host-" to "__Host-Http-" in a
>>> new document draft-ietf-httpbis-layered-cookies.
>>>
>>> >From what I can see, they've not changed it, they've introduced another
>>> set of prefixes. The __Host- prefix still exists, it just doesn't require
>>> the HttpOnly flag on cookies that are set. Given that the BCP already says
>>> HttpOnly is a MUST, I'm not sure what this adds?
>>>
>>> Does anyone know why the HTTPBis WG added these new prefixes? The old
>>> ones address known concrete security gaps, but I don't see an attack that
>>> this new prefix prevents.
>>>
>>> -- Neil
>>> _______________________________________________
>>> OAuth mailing list -- oauth@ietf.org
>>> To unsubscribe send an email to oauth-leave@ietf.org
>>>
>> _______________________________________________
>> OAuth mailing list -- oauth@ietf.org
>> To unsubscribe send an email to oauth-leave@ietf.org
>>
>>
>>