Re: Delete-Cookie header??

Since the "Delete-Cookie: abc, def" is a response header, then if sent from
a server at e.g. bob.example.com, I would expect it to only delete the
"abc" and "def" cookies in the bob.example.com subdomain. Allowing even a
higher iste (i.e. clearing the "abc" and "def" cookies at the example.com
root domain seems very dangerous. In a federated world, we have things like
"customer1.saasprovider.com" who is completely unrelated to "
customer2.saasprovider.com", and I wouldn't want either of them to to be
able to delete cookies at the "saasprovider.com" root domain, since they
could have been placed there by either customer.

However, allowing "Delete-Cookie: abc, def" sent from bob.example.com to be
able to delete those cookies from both bob-example.com and all *.
bob.example.com subdomains seems more reasonable, IF one assumes that the
bob.example.com server in some way 'controls' its subdomains.

In short, the only thing that should be able to delete cookies from a
domain is a Delete-Cookie header sent from that domain or a 'higher'
(closer to root) domain.

Of course, the header could be enhanced in a similar way to HSTS:

"Delete-Cookie: abc, def;subDomains. ghi"

indicating that (if sent from bob.example.com), the following cookies
should be deleted:

* "abc" if it has a Domain of bob.example.com domain
* "def" if it  has a Domain of bob.example.com domain or any subdomains of
bob.example.com
* "ghi" if it has a Domain of bob.example.com domain

But that's getting into more complexity that maybe isn't necessary.



On Thu, Oct 31, 2024 at 4:55 AM Patrick Meenan <patmeenan@gmail.com> wrote:

> I'm assuming the scope would be similar to clear-site-data: "cookies"
> where, at least in w3c land, it clears across all of the subdomains in the
> "registered domain" (https://www.w3.org/TR/clear-site-data/#clear-cookies),
> just with the ability to target a specific name instead of nuking
> everything.
>
> Should it be limited to the direct hierarchy or should it also impact
> same-level origins like clear-site-data does? i.e. bob.example.com clears
> from bob.example.com and example.com but should it be able to target
> deleting from alice.example.com?
>
> On Thu, Oct 31, 2024 at 6:57 AM Yoav Weiss <yoav.weiss@shopify.com> wrote:
>
>>
>>
>> ‪On Thu, Oct 31, 2024 at 11:49 AM ‫רועי ברקאי‬‎ <roybarkayyosef@gmail.com>
>> wrote:‬
>>
>>> As a first party coockie holder you may set an expiration date on the
>>> coockie you have created.
>>>
>>
>> Sure, but since setting an expiration date requires predicting the
>> future, we need a way to correct past predictions that didn't quite work
>> out.
>>
>>
>>> Allowing cross site coockie deletion would enable issues for users as an
>>> attacker may remove all mostly used coockie names
>>>
>>
>> Can you expand on that? I wouldn't expect a server to be able to delete
>> cookies that it can't receive, if that makes sense.
>>
>>
>>>
>>> On Thu, Oct 31, 2024, 12:39 Yoav Weiss <yoav.weiss@shopify.com> wrote:
>>>
>>>>
>>>>
>>>> On Thu, Oct 31, 2024 at 11:15 AM Daniel Stenberg <daniel@haxx.se>
>>>> wrote:
>>>>
>>>>> On Thu, 31 Oct 2024, Yoav Weiss wrote:
>>>>>
>>>>> > `Delete-Cookie: name1, name2` as an example syntax, which seems
>>>>> simple
>>>>> > enough and can get the job done.
>>>>>
>>>>> Since cookies are hierchical, it should probably be noted that this
>>>>> list
>>>>> identifying 'name1' and 'name2' can in fact match numerous cookies
>>>>> (for
>>>>> different paths), not just two and there is no way for this syntax to
>>>>> delete
>>>>> just a subset of them.
>>>>>
>>>>
>>>> That's true. At the same time, the use case at hand is one where we
>>>> want to delete cookies when we have no knowledge of their path.
>>>> So I believe it's fine to delete all matching cookies.
>>>>
>>>> +Colin Bendell <colin.bendell@shopify.com> to keep me honest, as he's
>>>> closer to this work.
>>>>
>>>>
>>>>>
>>>>> --
>>>>>
>>>>>   / daniel.haxx.se
>>>>>
>>>>

-- 
Rory Hewitt

https://www.linkedin.com/in/roryhewitt

Received on Thursday, 31 October 2024 15:45:11 UTC