Re: [OAUTH-WG] Web apps BCP feedback
Thomas Broyer <t.broyer@gmail.com> Sun, 26 September 2021 13:11 UTC
Return-Path: <t.broyer@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C37DA3A2392 for <oauth@ietfa.amsl.com>; Sun, 26 Sep 2021 06:11:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1F5-Duf6HtEE for <oauth@ietfa.amsl.com>; Sun, 26 Sep 2021 06:11:16 -0700 (PDT)
Received: from mail-yb1-xb2b.google.com (mail-yb1-xb2b.google.com [IPv6:2607:f8b0:4864:20::b2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E682A3A2391 for <oauth@ietf.org>; Sun, 26 Sep 2021 06:11:15 -0700 (PDT)
Received: by mail-yb1-xb2b.google.com with SMTP id w19so14523421ybs.3 for <oauth@ietf.org>; Sun, 26 Sep 2021 06:11:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=lEJls/x3EE/NowWdqHE8gM78Nnu/jWMbztVH2ZdHl64=; b=IGo5YZRxo4sd59vPv+K0+3p5cHP1jH+JpZbON0Dj//qTHevpvSAugUVbLPEIXDjSIE EpDltjDHedVsqB+t1ZbX5ZYoSkwJH0aJ2WZKTcGiAp8dlcwNsvZ0ToMRbHWbyViyNqK+ tS5lS7ueSSYNg5OFAacVi1A08YfaYKtueXhMJdcNHiexZBITzA+BiCs/7FcwJxlaf5v5 pT3iLGmdk7t0wKFSg2iw6mYUc3T+5EjyF21gNcneg5ZGePPLPbOXopaUge8XiPFGvlCh 7oldVpz5K8fdngL2GCcmSFk+Mf3SOLrL2e5fzHDwje4nwD45n+FEOSzYIqeA51IJ1y8u QBvw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=lEJls/x3EE/NowWdqHE8gM78Nnu/jWMbztVH2ZdHl64=; b=c6GlKllfw/DmfHd3MzlsXiJCVfqkUL/NShtB4ds3Va3xZrhMF1Jbu65+DXG9i5ULxO gYuxQot1/XROtWbBt39oteJc73bgTjycDufw9lE6SxnOdqinv93dVQ8o6Uo3i4MueTPt 2ZcU+adTayzrwFrWLnLELVGx+ZSYALd7VGDnPFwMVB+qi1fJWAbV9i3xGrO0XwMUqFxW 0XTl9OyoHQZHWiVmhK8OWIds2VRFKi533ZvgHvdUFxu+ML/Qk2PsJ/QBEgL1W+wlidHc xL/02gXC4qD4gRedA0vfEdD+qGIKGcmqtAVWRrxoiJC1t5OFpepHUmJ1COOX05M2Njb9 OshA==
X-Gm-Message-State: AOAM533sqQlGO2irDGcQQdOVXI+Ba9mZj6hAYuqCJx0w0NymtGuSzGBS tQyqmLSmoFUpMiMOoOMAInGrYxNRsUJDbRHkzGw=
X-Google-Smtp-Source: ABdhPJyE+bg67XCvEGMSlbUARgK+7w7rtlCyH8gVx9o51M0iWMEG9ek2HCty2XajGHvFXdKlxOBWA5c19GPITtdYse8=
X-Received: by 2002:a25:4786:: with SMTP id u128mr24148618yba.539.1632661874949; Sun, 26 Sep 2021 06:11:14 -0700 (PDT)
MIME-Version: 1.0
References: <CB89CE83-269A-44E6-AB27-A2BDA452EBD2@pragmaticwebsecurity.com> <9C0F9B3A-66A8-4C5E-9E5E-C01C919D4A83@forgerock.com>
In-Reply-To: <9C0F9B3A-66A8-4C5E-9E5E-C01C919D4A83@forgerock.com>
From: Thomas Broyer <t.broyer@gmail.com>
Date: Sun, 26 Sep 2021 15:11:04 +0200
Message-ID: <CAEayHEO6iwZU9Aub=7aFuYhrskK6RmQKUJ1kc1qWp+zf2tbkZw@mail.gmail.com>
To: Neil Madden <neil.madden@forgerock.com>
Cc: Philippe De Ryck <philippe@pragmaticwebsecurity.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000018428905cce5b717"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/_9bWJcPbiA_fjuGKLtNZtnlTC-I>
Subject: Re: [OAUTH-WG] Web apps BCP feedback
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Sep 2021 13:11:21 -0000
On Sun, Sep 26, 2021 at 10:24 AM Neil Madden <neil.madden@forgerock.com> wrote: > Right, cookie prefixes is one approach - but still has a little way to go > on browser share [1]. > Fwiw, a big part of that "missing" browser share is Safari on iOS (14.25% of global share), and I just tested on devices through BrowserStack on https://googlechrome.github.io/samples/cookie-prefixes/ and it *does* support cookie prefixes (tested with v14 and v13). > > In my book (have I mentioned my book? :-)), I show a variant of the > double-submit cookie pattern in which the anti-CSRF token is a SHA-256 hash > of the session cookie [2], which prevents the cookie being overridden. > > We should probably just defer to the security considerations in > rfc6265-bis [3], which already discusses some limitations of SameSite and > recommends it be used as a defence-in-depth alongside traditional defences. > +1, just mentioning that there should be CSRF mitigations in place should be enough IMO. Also maybe mention that securing the API is then actually outside the scope of the BCP (whose role in this case is only to recommend *not* using OAuth) -- Thomas Broyer /tɔ.ma.bʁwa.je/ <http://xn--nna.ma.xn--bwa-xxb.je/>
- [OAUTH-WG] Web apps BCP feedback Dominick Baier
- Re: [OAUTH-WG] Web apps BCP feedback Jim Manico
- Re: [OAUTH-WG] Web apps BCP feedback Neil Madden
- Re: [OAUTH-WG] Web apps BCP feedback Jim Manico
- Re: [OAUTH-WG] Web apps BCP feedback Philippe De Ryck
- Re: [OAUTH-WG] Web apps BCP feedback Neil Madden
- Re: [OAUTH-WG] Web apps BCP feedback Jim Manico
- Re: [OAUTH-WG] Web apps BCP feedback Neil Madden
- Re: [OAUTH-WG] Web apps BCP feedback Thomas Broyer