- From: Paolo Argentieri <paolo.argentieri@laserfiche.com>
- Date: Sat, 5 Sep 2020 02:44:18 +0000
- To: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Hi all, first post here. I'd like to propose a new "__Origin-" cookie prefix with "origin locked" semantic. While it is possible to implement these cookies today, standardized user agent support would add a layer of optimization and security. The cookie name begins with prefix "__Origin-" followed by the domain that served the parent page (the origin) and, optionally, a name postfix. Example: Set-Cookie: __Origin-apps.contoso.com-accessToken=12345; Secure; HttpOnly; SameSite=None A conformant user agent would ensure that the cookie will have been set with a "Secure" attribute and the domain following "__Origin-" matches the request Origin. In addition, a conformant user agent would not send an "__Origin-" cookie if the domain in the cookie name does not match the Origin, excluding port. A server should ignore "__Origin-" cookies whose name doesn't match the Origin request header. This combination yields cookies that are pinned to a specific origin thus well suited to roundtrip session ids or JWTs (immune to XSS session hijacking attack). Regards, Paolo Argentieri
Received on Monday, 7 September 2020 07:18:24 UTC