- From: Patrick Meenan <patmeenan@gmail.com>
- Date: Thu, 31 Oct 2024 12:12:47 -0400
- To: רועי ברקאי <roybarkayyosef@gmail.com>
- Cc: Rory Hewitt <rory.hewitt@gmail.com>, Yoav Weiss <yoav.weiss@shopify.com>, Daniel Stenberg <daniel@haxx.se>, Colin Bendell <colin.bendell@shopify.com>, HTTP Working Group <ietf-http-wg@w3.org>, Anne van Kesteren <annevk@apple.com>
- Message-ID: <CAJV+MGwibF1NBO5jr_F3TUaTofcAUH=4DwBJ1KXu8ORZbzJBig@mail.gmail.com>
I agree in principle to subdomains-only, but wouldn't the risks called-out also be a problem with clear-site-data which wipes out all cookies (including parent and horizontally to peers)? On Thu, Oct 31, 2024 at 12:02 PM רועי ברקאי <roybarkayyosef@gmail.com> wrote: > Rory please read my response. > > I agree with Rorry on most of the solution. > I believe an issue may be rissen when an authority example.com may delete > a cookie for a.example.com may have supply chain attack vector > possibilities therefore im against that solution. > As a tennant of a domain (owner of a subdomain) I wouldnt want my landlord > ie the domain the company I buy services from to delete the cookies of my > users. > > Take in mind that many subdomains that uses SAAS have their scripts run as > well from the parent domain. therefore a supply chain/DOS attack may take > place via removing access to users by deleting their cookies. > > > > > On Thu, 31 Oct 2024 at 17:45, Rory Hewitt <rory.hewitt@gmail.com> wrote: > >> Since the "Delete-Cookie: abc, def" is a response header, then if sent >> from a server at e.g. bob.example.com, I would expect it to only delete >> the "abc" and "def" cookies in the bob.example.com subdomain. Allowing >> even a higher iste (i.e. clearing the "abc" and "def" cookies at the >> example.com root domain seems very dangerous. In a federated world, we >> have things like "customer1.saasprovider.com" who is completely >> unrelated to "customer2.saasprovider.com", and I wouldn't want either of >> them to to be able to delete cookies at the "saasprovider.com" root >> domain, since they could have been placed there by either customer. >> >> However, allowing "Delete-Cookie: abc, def" sent from bob.example.com to >> be able to delete those cookies from both bob-example.com and all *. >> bob.example.com subdomains seems more reasonable, IF one assumes that >> the bob.example.com server in some way 'controls' its subdomains. >> >> In short, the only thing that should be able to delete cookies from a >> domain is a Delete-Cookie header sent from that domain or a 'higher' >> (closer to root) domain. >> >> Of course, the header could be enhanced in a similar way to HSTS: >> >> "Delete-Cookie: abc, def;subDomains. ghi" >> >> indicating that (if sent from bob.example.com), the following cookies >> should be deleted: >> >> * "abc" if it has a Domain of bob.example.com domain >> * "def" if it has a Domain of bob.example.com domain or any subdomains >> of bob.example.com >> * "ghi" if it has a Domain of bob.example.com domain >> >> But that's getting into more complexity that maybe isn't necessary. >> >> >> >> On Thu, Oct 31, 2024 at 4:55 AM Patrick Meenan <patmeenan@gmail.com> >> wrote: >> >>> I'm assuming the scope would be similar to clear-site-data: "cookies" >>> where, at least in w3c land, it clears across all of the subdomains in the >>> "registered domain" ( >>> https://www.w3.org/TR/clear-site-data/#clear-cookies), just with the >>> ability to target a specific name instead of nuking everything. >>> >>> Should it be limited to the direct hierarchy or should it also impact >>> same-level origins like clear-site-data does? i.e. bob.example.com >>> clears from bob.example.com and example.com but should it be able to >>> target deleting from alice.example.com? >>> >>> On Thu, Oct 31, 2024 at 6:57 AM Yoav Weiss <yoav.weiss@shopify.com> >>> wrote: >>> >>>> >>>> >>>> On Thu, Oct 31, 2024 at 11:49 AM רועי ברקאי < >>>> roybarkayyosef@gmail.com> wrote: >>>> >>>>> As a first party coockie holder you may set an expiration date on the >>>>> coockie you have created. >>>>> >>>> >>>> Sure, but since setting an expiration date requires predicting the >>>> future, we need a way to correct past predictions that didn't quite work >>>> out. >>>> >>>> >>>>> Allowing cross site coockie deletion would enable issues for users as >>>>> an attacker may remove all mostly used coockie names >>>>> >>>> >>>> Can you expand on that? I wouldn't expect a server to be able to delete >>>> cookies that it can't receive, if that makes sense. >>>> >>>> >>>>> >>>>> On Thu, Oct 31, 2024, 12:39 Yoav Weiss <yoav.weiss@shopify.com> wrote: >>>>> >>>>>> >>>>>> >>>>>> On Thu, Oct 31, 2024 at 11:15 AM Daniel Stenberg <daniel@haxx.se> >>>>>> wrote: >>>>>> >>>>>>> On Thu, 31 Oct 2024, Yoav Weiss wrote: >>>>>>> >>>>>>> > `Delete-Cookie: name1, name2` as an example syntax, which seems >>>>>>> simple >>>>>>> > enough and can get the job done. >>>>>>> >>>>>>> Since cookies are hierchical, it should probably be noted that this >>>>>>> list >>>>>>> identifying 'name1' and 'name2' can in fact match numerous cookies >>>>>>> (for >>>>>>> different paths), not just two and there is no way for this syntax >>>>>>> to delete >>>>>>> just a subset of them. >>>>>>> >>>>>> >>>>>> That's true. At the same time, the use case at hand is one where we >>>>>> want to delete cookies when we have no knowledge of their path. >>>>>> So I believe it's fine to delete all matching cookies. >>>>>> >>>>>> +Colin Bendell <colin.bendell@shopify.com> to keep me honest, as >>>>>> he's closer to this work. >>>>>> >>>>>> >>>>>>> >>>>>>> -- >>>>>>> >>>>>>> / daniel.haxx.se >>>>>>> >>>>>> >> >> -- >> Rory Hewitt >> >> https://www.linkedin.com/in/roryhewitt >> >
Received on Thursday, 31 October 2024 16:14:04 UTC