Re: errata for cookie spec from Benjamin Franz on 1997-02-05 (ietf-http-wg@w3.org from January to March 1997)

From: Benjamin Franz <snowhare@netimages.com>
Date: Wed, 5 Feb 1997 15:02:40 -0800 (PST)
To: Dave Kristol <dmk@research.bell-labs.com>
Cc: www-talk@www10.w3.org, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <Pine.LNX.3.95.970205144353.14754A-100000@ns.viet.net>

On Wed, 5 Feb 1997, Dave Kristol wrote:

> In case you missed the IETF notice, I've written a set of errata to the
> Cookie Spec., draft-ietf-http-state-mgmt-05.txt.  I would have
> preferred to wait until the spec. became an RFC, but it was more
> important to get the corrections in front of people than to sit on
> formalities.  Once the RFC issues, I will produce a new I-D that
> incorporates the errata.
> 
> Visit http://portal.research.bell-labs.com/~dmk/cookie.html for
> links to the basic spec. and the errata.
> 
> I welcome comments to the spec. or to the errata.  Keep in mind that
> comments on the former are constrained to clarifications or things
> that affect interoperability.  Incompatible changes are pretty much
> out of bounds for this round.

| 8.3  Unexpected Cookie Sharing
|
| A user agent should make every attempt to prevent the sharing of session
| information between hosts that are in different domains.  Embedded or
| inlined objects may cause particularly severe privacy problems if they
| can be used to share cookies between disparate hosts.  For example, a
| malicious server could embed cookie information for host a.com in a URI
| for a CGI on host b.com.  User agent implementors are strongly
| encouraged to prevent this sort of exchange whenever possible.

This needs to be strengthened. This is *ALREADY* a major problem,
with a number of 'banner services' such as 'doubleclick.com' currently
exploiting inlined images to track people across domains. Perhaps
something like 'User agents MUST NOT allow the setting of cookies
on inlined or embeded objects if the enclosing document and the inlined or
embedded object would be precluded from directly sharing a cookie by the
other domain exclusion rules.' should be added to 4.3.2.

Section 7.1 also needs to mention that a user who has chosen to
automatically refuse cookies should have the option to do so
*silently*. Having to manually refuse each cookie for every image and
page on a site results in the acceptance of cookies just to make the damn
browser shut up about them. This is a security issue.

-- 
Benjamin Franz

Received on Wednesday, 5 February 1997 15:11:45 UTC