W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2020

Cookies and schemes.

From: Mike West <mkwst@google.com>
Date: Mon, 9 Mar 2020 09:51:46 +0100
Message-ID: <CAKXHy=d260V9_63yNBwLjDG=upZ+HG3iJ8hKbnFc0KU7fCbVcQ@mail.gmail.com>
To: HTTP Working Group <ietf-http-wg@w3.org>
Cc: mt@lowentropy.net
Hey folks!

We've known for quite some time that cookies' lack of respect for the
scheme that created them was an unfortunate choice that means cookies can
give only weak guarantees of confidentiality
<https://tools.ietf.org/html/rfc6265#section-8.5>. We further know that
long-lived non-secure cookies create real risks for users (pervasive
monitoring, data safety, etc).

Martin Thomson's https://tools.ietf.org/html/draft-thomson-http-omnomnom-00 is
one take on an approach to mitigating these risks.
https://github.com/mikewest/cookies-over-http-bad is another. Neither took
off when they were proposed, but they seem to me to be clearly good ideas,
at least directionally. Given the state of the world today, and the
significant migration from HTTP to HTTPS we've seen in the past few years,
I'd like to try tilting at this particular windmill again:

https://github.com/mikewest/scheming-cookies proposes two changes:

1. We teach cookies about schemes, and lock them to the scheme that set
them (just like every other web-facing storage mechanism).

2. We curtail non-secure schemes' cookies' lifetime by agreeing on a set of
heuristics for a user's "session" on a given site, and culling cookies when
a site's session expires.

The explainer tries to work through each of those and their implications in
a little more detail. I'd appreciate feedback, either here or in the GitHub
repo. :)

Received on Monday, 9 March 2020 08:52:14 UTC

This archive was generated by hypermail 2.4.0 : Monday, 9 March 2020 08:52:15 UTC