- From: Mike West <mkwst@google.com>
- Date: Mon, 9 Mar 2020 09:51:46 +0100
- To: HTTP Working Group <ietf-http-wg@w3.org>
- Cc: mt@lowentropy.net
- Message-ID: <CAKXHy=d260V9_63yNBwLjDG=upZ+HG3iJ8hKbnFc0KU7fCbVcQ@mail.gmail.com>
Hey folks! We've known for quite some time that cookies' lack of respect for the scheme that created them was an unfortunate choice that means cookies can give only weak guarantees of confidentiality <https://tools.ietf.org/html/rfc6265#section-8.5>. We further know that long-lived non-secure cookies create real risks for users (pervasive monitoring, data safety, etc). Martin Thomson's https://tools.ietf.org/html/draft-thomson-http-omnomnom-00 is one take on an approach to mitigating these risks. https://github.com/mikewest/cookies-over-http-bad is another. Neither took off when they were proposed, but they seem to me to be clearly good ideas, at least directionally. Given the state of the world today, and the significant migration from HTTP to HTTPS we've seen in the past few years, I'd like to try tilting at this particular windmill again: https://github.com/mikewest/scheming-cookies proposes two changes: 1. We teach cookies about schemes, and lock them to the scheme that set them (just like every other web-facing storage mechanism). 2. We curtail non-secure schemes' cookies' lifetime by agreeing on a set of heuristics for a user's "session" on a given site, and culling cookies when a site's session expires. The explainer tries to work through each of those and their implications in a little more detail. I'd appreciate feedback, either here or in the GitHub repo. :) -mike
Received on Monday, 9 March 2020 08:52:14 UTC