- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Fri, 24 Oct 2014 09:22:30 -0700
- To: Mike West <mkwst@google.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
On 24 October 2014 03:06, Mike West <mkwst@google.com> wrote: > Per step 6 of http://tools.ietf.org/html/rfc6265#section-5.3, the example in > the document (`SetCookie: id=abcd; Origin`) would be treated as a host-only > cookie by browsers that don't support the proposal. It's not clear to me > what you mean by "failing open" in that case, as it wouldn't be any more > open than it is today. > > I agree, however, that the document's examples should be more realistic, and > should set at least the `Secure` attribute. That's only one scope-limiting attribute. You aren't looking to alter Path, but there is also HttpOnly. And then there's the fact that cookies historically don't consider port number. My point here is that you can't safely add something that attempts to limit the scope of applicability if it relies on an attribute that will be ignored by old implementations. That means I'm having trouble reconciling the design with the fact that confidentiality is an important characteristic of cookies. You wouldn't be able to rely on the Origin attribute being honoured, not ever, which makes me sad. The alternative is to ensure that your new stuff is completely ignored by old implementations. There are plenty of options here: you could add a value to the Origin attribute, or use a new header field to set the value... I recognize that introduces a pretty dire failure mode (see Cake). > If we wish to defend against the kinds of annoyances that GitHub eloquently > documented at https://github.com/blog/1466-yummy-cookies-across-domains, > then we need to offer the website the ability to distinguish between cookies > set by its own origin, and cookies which might have been set by a subdomain. Yeah, maybe we need a way for an origin to block cookies from subdomains. > Moving origin cookies to a separate header makes this clear in a > backwards-compatible way. It's not clear that there's any way to shoehorn > that information into the existing header without breakage. Well, it's a cookie, so presumably there's ways to mark cookies that were intended to be origin-bound in a way that can be detected by the origin. It's disgustingly inefficient, but I've used a MAC in the past (I'm sure that you are aware of the Macaroon work here).
Received on Friday, 24 October 2014 16:22:59 UTC