- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Fri, 24 Oct 2014 23:15:28 +0200
- To: Mike West <mkwst@google.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
On 24 October 2014 21:42, Mike West <mkwst@google.com> wrote: > Ok. Origin cookies address this concern by locking the cookies to the origin > that set them. An origin cookie set by `example.com` would not be sent to > `subdomain.example.com` and vice versa. I think we're on the same page here. > >> >> And when you send cookies, you don't necessarily know that >> they support origin cookies, so you are taking a risk. > > > One way of mitigating this risk is to force the user agent to _always_ send > an `Origin-Cookie` header as a feature detection mechanism. Now you get it :) That seems kludgy, and it's going to hurt a lot given the size of the name (have you considered calling this 'Cake' for the sake of brevity?) Now, if we are paying this price for feature detection, I think that I would really like to see an entirely new mechanism defined. Even a small tweak would mitigate attacks like POODLE considerably. Imagine if you could randomly mask the contents of a cookie...
Received on Friday, 24 October 2014 21:15:56 UTC