Re: Origin cookies from Martin Thomson on 2014-10-24 (ietf-http-wg@w3.org from October to December 2014)

From: Martin Thomson <martin.thomson@gmail.com>
Date: Fri, 24 Oct 2014 09:22:30 -0700
To: Mike West <mkwst@google.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CABkgnnXYgEo-CHbvwQrjYy6ByrEfC17VgJzeP7PVK+9=69kPMQ@mail.gmail.com>

On 24 October 2014 03:06, Mike West <mkwst@google.com> wrote:
> Per step 6 of http://tools.ietf.org/html/rfc6265#section-5.3, the example in
> the document (`SetCookie: id=abcd; Origin`) would be treated as a host-only
> cookie by browsers that don't support the proposal. It's not clear to me
> what you mean by "failing open" in that case, as it wouldn't be any more
> open than it is today.
>
> I agree, however, that the document's examples should be more realistic, and
> should set at least the `Secure` attribute.

That's only one scope-limiting attribute.  You aren't looking to alter
Path, but there is also HttpOnly.  And then there's the fact that
cookies historically don't consider port number.

My point here is that you can't safely add something that attempts to
limit the scope of applicability if it relies on an attribute that
will be ignored by old implementations.  That means I'm having trouble
reconciling the design with the fact that confidentiality is an
important characteristic of cookies.  You wouldn't be able to rely on
the Origin attribute being honoured, not ever, which makes me sad.

The alternative is to ensure that your new stuff is completely ignored
by old implementations.  There are plenty of options here: you could
add a value to the Origin attribute, or use a new header field to set
the value... I recognize that introduces a pretty dire failure mode
(see Cake).

> If we wish to defend against the kinds of annoyances that GitHub eloquently
> documented at https://github.com/blog/1466-yummy-cookies-across-domains,
> then we need to offer the website the ability to distinguish between cookies
> set by its own origin, and cookies which might have been set by a subdomain.

Yeah, maybe we need a way for an origin to block cookies from subdomains.

> Moving origin cookies to a separate header makes this clear in a
> backwards-compatible way. It's not clear that there's any way to shoehorn
> that information into the existing header without breakage.

Well, it's a cookie, so presumably there's ways to mark cookies that
were intended to be origin-bound in a way that can be detected by the
origin.  It's disgustingly inefficient, but I've used a MAC in the
past (I'm sure that you are aware of the Macaroon work here).

Received on Friday, 24 October 2014 16:22:59 UTC