[Bug 11235] Support a rel attribute that restricts cookie transmission from bugzilla@jessica.w3.org on 2010-11-10 (public-html-bugzilla@w3.org from November 2010)

From: <bugzilla@jessica.w3.org>
Date: Wed, 10 Nov 2010 13:53:26 +0000
To: public-html-bugzilla@w3.org
Message-Id: <E1PGB78-0003uB-PE@jessica.w3.org>

http://www.w3.org/Bugs/Public/show_bug.cgi?id=11235

--- Comment #7 from Kyle Simpson <w3c@getify.myspamkiller.com> 2010-11-10 13:53:25 UTC ---
I've definitely been in favor of this proposal, especially the suppressing of
cookies.

I ran it by Billy Hoffman (http://zoompf.com) and he brought up a good point
that we need to consider.

There are apparently some servers/applications that are intentionally
configured to log out a user session if a request is received that has no
cookies. Honestly, I'm not actually sure how that would work, because I'm not
sure how the server knows which session to kill if there was no cookie to
identify to the server who the request came from. But, nevertheless, apparently
this is a reality out there.

So, the obvious point is, anyone who used such a functionality in their
application (for whatever reason, intentional or not), they couldn't use this
rel="anonymous" to suppress cookies, without logging out users.

On the surface, my reaction was to say that such strange setups would just be
unable to use this rel feature.

But Billy pointed out that such things can be used in a DoS attack. For
instance, evil.com can have an <img> tag on it that points to an image on
bank.com, and uses rel="anonymous" to force the user to be logged out. Now, in
my opinion, this type of DoS is rather benign, but I guess it's real
nonetheless.

So, this is what I propose:

We restrict the behavior of rel=anonymous to only work (at least in terms of
cookies) if the resource is on the same domain (exactly) as the page domain. It
would be silently ignored for requests to resources on other domains.

This should be fine for CDN usage, because CDN's in general are not sending out
cookies. Or, rather, the issue we're trying to solve is much more about all the
global cookies that are set on a local domain (like analytics tracking cookies,
etc) that are unnecessarily bogging down static resource requests. So, the far
majority of those requests will be to the same page-domain, which would benefit
from the rel=anonymous behavior being discussed.

Thoughts?

--Kyle

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

Received on Wednesday, 10 November 2010 13:53:29 UTC