RE: Cookies Settings Observations from Mike O'Neill on 2015-01-28 (www-tag@w3.org from January 2015)

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Wed, 28 Jan 2015 13:34:13 -0000
To: "'Mike West'" <mkwst@google.com>, "'Yehuda Katz'" <wycats@gmail.com>
Cc: "'Daniel Appelquist'" <appelquist@gmail.com>, "'TAG List'" <www-tag@w3.org>
Message-ID: <3b3801d03aff$1e233640$5a69a2c0$@baycloud.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mike,

It is often hard for UAs to tell first-party from third-party accesses. For example third-party blocking is being circumvented via redirection. Javascript changes the href of a same-origin anchor tag, e.g. a menu item, to point to a third-party origin with the original href as a query parameter. The third-party server responds with a 302 redirect back to the original href, along with a set-cookies header, when the menu item is clicked.

The browser cannot tell it is “really” a third-party and the user may have no indication they were going to be redirected through the third-party.

The first-party attribute would have to stop cookies being sent in these kind of redirected requests.

Mike O’Neill



From: Mike West [mailto:mkwst@google.com]
Sent: 28 January 2015 09:34
To: Yehuda Katz
Cc: Daniel Appelquist; TAG List
Subject: Re: Cookies Settings Observations

On Mon, Jan 26, 2015 at 9:12 PM, Yehuda Katz <wycats@gmail.com> wrote:
I recently asked around about why we don't have a CSP mechanism (or other opt in) to tell the browser that the cookies of a particular domain are "same origin only".
Ah, cookies. What a mess.

I took a stab at something like this in https://tools.ietf.org/html/draft-west-first-party-cookies-00. There seems to be vague interest in the HTTP WG, but I haven't gotten around to putting a prototype together yet.

- -mike

- --
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (MingW32)
Comment: Using gpg4o v3.4.19.5391 - http://www.gpg4o.com/
Charset: utf-8

iQEcBAEBAgAGBQJUyOVVAAoJEHMxUy4uXm2J+AYIAKpEFW8wQA/RPXX3E8DBhCMl
0NtECXATmuHZG3qaHnY0v5cw1+yrOkNTVHjwCRHuDdVJCwOwWuTx+BTH2Zw8Yqmf
9QxgZF7d95OZnOswKT+db6aR8AH+oJ8fUSWzbkOTEPtyLmqk23Xk6wzomBlhvYGj
6s0LBIzI33MJLLi/J957OajQMrWzTp2BeWxT6W6DXW3womfPKEFmfeTcerBj7peU
oL6eoAvK42jXpKeANwl2m7yt34ZpOW5NM7xXJK2RIleksm3elbU0XudA+Vm/6BaU
mq3ny4vayrEAQ7geNHXD1gYAr8BY7ZroMFHHgxcFTqq9s6WxSFv5oX668fGxdb4=
=Ykm7
-----END PGP SIGNATURE-----

Attachments

text/html attachment: PGPexch.htm
application/octet-stream attachment: PGPexch.htm.sig

Received on Wednesday, 28 January 2015 13:36:38 UTC