Re: Opting in to cookies - proposal version 3 from Ian Hickson on 2008-06-19 (public-webapps@w3.org from April to June 2008)

From: Ian Hickson <ian@hixie.ch>
Date: Thu, 19 Jun 2008 21:45:55 +0000 (UTC)
To: Jonas Sicking <jonas@sicking.cc>
Cc: Web Applications Working Group WG <public-webapps@w3.org>
Message-ID: <Pine.LNX.4.62.0806192140170.13974@hixie.dreamhostps.com>

On Thu, 19 Jun 2008, Jonas Sicking wrote:
> > 
> > This only helps with servers that have same-domain pages that accept 
> > cookies, but have no cross-domain pages that accept cookies, ever 
> > (since if any of the cross-domain pages accept cookies, then our 
> > initial assumption -- that the site author makes a mistake and his 
> > site reacts to cookies in third-party requests by doing bad things -- 
> > means that he's lost).
> 
> How so. Sites that have a combination of private and public data can, 
> and hopefully will, only set the Access-Control-With-Credentials header 
> for the parts that serve private data. It needs to apply different 
> opt-in policies here anyway since it needs to ask the user before 
> sharing any of his/her data.

The scenario we are trying to address is the scenario where an author has 
accidentally allowed cross-site access to a part of the site that gives 
users abilities if they provide valid credentials, to prevent other sites 
from pretending to be the user and acting in a user-hostile way as if on 
the user's behalf.

Thus we are assuming that if a cookie is sent to the server with a 
cross-site request, the server will be vulnerable. That is the fundamental 
assumption.

Now, we can work around that by making it that authors don't accept 
cookies for cross-site requests, but only accept them from same-site 
requests. That works, because our assumption only relates to cross-site 
requests that _do_ include cookies.

If the server then opts-in to receiving cookies, then the server will 
receive cookies. Our assumption is that if a cookie is sent to the server 
with a cross-site request, the server will be vulnerable. Thus the server 
is now again vulnerable.

We can't pretend that the author will make a mistake if they always 
receive cookies but then assume that the author will suddenly stop making 
mistakes when we provide them with a way to opt-in to cookies. Either the 
author is going to make mistakes, or he isn't. We have to be consistent in 
our threat assessment.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Thursday, 19 June 2008 21:46:36 UTC