Re: Origin cookies

On Oct 24, 2014 5:29 AM, "Martin Thomson" <martin.thomson@gmail.com> wrote:
>
> Just saw this.  It's a laudable goal.  I'd hope that we could move
> toward this being a default mode.

Glad it looks interesting! I meant to send a proposal to the list earlier
this week, but didn't somehow...
https://tools.ietf.org/html/draft-west-origin-cookies-00 is the document
we're discussing.

> I'm concerned that this draft is a little backwards when it comes to
> backward compat.  Clients that don't support the restriction will fail
> open, spilling the cookie contents all over the place.  Especially so
> if the origin attribute is the only attribute and other scope-limiting
> attributes are not put in place.

Per step 6 of http://tools.ietf.org/html/rfc6265#section-5.3, the example
in the document (`SetCookie: id=abcd; Origin`) would be treated as a
host-only cookie by browsers that don't support the proposal. It's not
clear to me what you mean by "failing open" in that case, as it wouldn't be
any more open than it is today.

I agree, however, that the document's examples should be more realistic,
and should set at least the `Secure` attribute.

> In addition to that failure mode, I don't see any value in having a
> signal from the client that a particular cookie is origin-bound.  The
> Cookie header should be sufficient for that.
>
> Would it make sense to reverse things: have the Origin-Cookie header
> field be the Set-Cookie analogue and then include that data the Cookie
> header field of requests

If we wish to defend against the kinds of annoyances that GitHub eloquently
documented at https://github.com/blog/1466-yummy-cookies-across-domains,
then we need to offer the website the ability to distinguish between
cookies set by its own origin, and cookies which might have been set by a
subdomain.

Moving origin cookies to a separate header makes this clear in a
backwards-compatible way. It's not clear that there's any way to shoehorn
that information into the existing header without breakage.

Thanks!

-mike

Received on Friday, 24 October 2014 10:07:47 UTC