Re: Opting in to cookies - proposal version 3 from Ian Hickson on 2008-06-20 (public-webapps@w3.org from April to June 2008)

From: Ian Hickson <ian@hixie.ch>
Date: Fri, 20 Jun 2008 22:53:47 +0000 (UTC)
To: Jonas Sicking <jonas@sicking.cc>
Cc: Web Applications Working Group WG <public-webapps@w3.org>
Message-ID: <Pine.LNX.4.62.0806202249270.13974@hixie.dreamhostps.com>

On Fri, 20 Jun 2008, Jonas Sicking wrote:
> 
> Under the current spec the operator must check each individual PHP
> script in the part of the site that is shared to make sure that none of
> them use $_SESSION, $_COOKIE, $HTTP_SESSION_VARS, $_ENV['HTTP_COOKIE'],
> HttpRequest::getCookies(), any of the session_* functions,
> $_ENV['REMOTE_USER'], $_ENV['REMOTE_IDENT'], $_ENV['HTTP_AUTHORIZATION'] any
> of the kadm5_* functions, any of the radius_* functions or anything else that
> I'm missing that does session management based on user credentials.
> 
> If any of these things are used then the PHP script is likely mixing private
> data into the public data and so the script needs to be modified to not use
> any of the above features when the 'Origin' header is present and has a value
> different from the current domain.
> 
> While this is certainly doable, I feel that there is a risk that the site
> administrator will make a mistake and miss some of the above listed features
> and cause private data to be leaked.
> 
> So again, the issue isn't in understanding the spec. The issue is securing
> your site for the security model that the spec requires.

That's all well and good, but what if the site author wants to send back 
some data that _is_ cookie aware? Now he has to go through and do the 
check anyway. So what's the win?

I think it's safe to assume that if the site uses cookies at all, that 
it'll eventually want to provide cross-site access to user data in some 
way.

So it now seems like you are saying that this feature is only intended to 
delay the time before which someone has to audit their site. That doesn't 
seem like a great win to me.


> > > Additionally, this way you can make sure to ask the user always 
> > > before sending the Access-Control-With-Credentials header. This way 
> > > the risk of leaking private data without the user realizing is 
> > > further reduced.
> 
> I'm talking about the site asking the user this question.

The site doesn't know if it's asked the user this question if it doesn't 
have the cookies to know who the user is.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Friday, 20 June 2008 22:54:26 UTC