_HttpOnly cookie prefix? from Yoav Weiss on 2025-02-19 (ietf-http-wg@w3.org from January to March 2025)

From: Yoav Weiss <yoav.weiss@shopify.com>
Date: Wed, 19 Feb 2025 14:11:11 +0100
To: HTTP Working Group <ietf-http-wg@w3.org>
Cc: Anne van Kesteren <annevk@annevk.nl>, Johann Hofmann <johannhof@google.com>, Matt Metzger <matthew.metzger@shopify.com>
Message-ID: <CALYmMadk67jcc9y5aP26QFFy5oo7e+qNspL8qv-jF62AhN8UBg@mail.gmail.com>

Hey folks!

There are cases where it's important to distinguish on the server side
between cookies that were set by the server and ones that were set by the
client.
One such case are cookies that are normally *always* set by the server,
unless some unexpected code (an XSS exploit, a malicious extension, a
commit from a confused developer, etc) happens to set them on the client.

It seems important to add some (opt-in) signal that would enable the server
to make such a distinction.

Looking at the current prefixes
<https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#section-4.1.3>,
it might be fitting to add an "__HttpOnly" prefix that would have the
following semantics:
* The cookie is rejected if it's set as a client-side cookie, rather than
through a `Set-Cookie` header
* The cookie is rejected if it's set without an "HttpOnly" attribute
<https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-httponly-attribute-2>

Does this make rough sense?

If so, I'll draft up something more formal.

Cheers :)
Yoav

Received on Wednesday, 19 February 2025 13:11:28 UTC