Re: _HttpOnly cookie prefix? from Yoav Weiss on 2025-02-20 (ietf-http-wg@w3.org from January to March 2025)

From: Yoav Weiss <yoav.weiss@shopify.com>
Date: Thu, 20 Feb 2025 10:15:55 +0100
To: Anne van Kesteren <annevk@annevk.nl>, Barry Pollard <barrypollard@google.com>, Mateusz Krzeszowiak <mateusz.krzeszowiak@shopify.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>, Johann Hofmann <johannhof@google.com>, Matt Metzger <matthew.metzger@shopify.com>
Message-ID: <CALYmMaeRs4miCFcT+wqHAD7=8uM2sR8gBhOBnC4TpWFVXce7CQ@mail.gmail.com>

On Thu, Feb 20, 2025 at 9:17 AM Yoav Weiss <yoav.weiss@shopify.com> wrote:

>
>
> On Wed, Feb 19, 2025 at 3:16 PM Anne van Kesteren <annevk@annevk.nl>
> wrote:
>
>> On Wed, Feb 19, 2025 at 2:11 PM Yoav Weiss <yoav.weiss@shopify.com>
>> wrote:
>> > Looking at the current prefixes, it might be fitting to add an
>> "__HttpOnly" prefix that would have the following semantics:
>> > * The cookie is rejected if it's set as a client-side cookie, rather
>> than through a `Set-Cookie` header
>> > * The cookie is rejected if it's set without an "HttpOnly" attribute
>> >
>> > Does this make rough sense?
>>
>> At the very least it should minimally enforce __Secure- semantics,
>
>
> Makes sense!
>
>
>> but
>> this raises the question of what should happen if you also want to
>> enforce __Host-.
>
>
> Dan enumerated some options. I like `__HostHttpOnly` for that case.
>
>
>> And also what adoption of these prefixes has been
>> thus far.
>
>
> Looking at the HTTPArchive for November 2024, we see 840008577 responses
> with "Set-Cookie" headers and a "__Secure" in their value, out of
> 5307965614 responses overall.
> That's roughly 15.8%. So I'd say this is pretty widely used.
>

After talking to +Barry Pollard <barrypollard@google.com> and +Mateusz
Krzeszowiak <mateusz.krzeszowiak@shopify.com>, a few corrections:
It seems like the percentage of cookies that have a __Secure prefix is
relatively
low <https://almanac.httparchive.org/en/2024/cookies#cookie-prefixes> at
~0.03%
I was counting the number of responses that have `__Secure` cookies in them
out of the number of overall responses.
A slightly better way of looking at this is to count the number of domains
_Secure cookies are set on compared to the overall. That's 14.77% of
domains.
Finally, if we're looking at sites, 58.69% of them have some __Secure
cookie (most probably influenced by third parties)

>
> Because if it's very low it's a bit unclear if we should
>> continue to invest in them as they do require checks all over the
>> place.
>>
>
> At least in Chromium the checks seem pretty well-contained
> <https://source.chromium.org/chromium/chromium/src/+/main:net/cookies/cookie_util.cc;l=744;drc=8b7ec5d99ad2d76762011a50ed1c14d754e3ff5f;bpv=1;bpt=1>
> .
>
>

Received on Thursday, 20 February 2025 09:16:11 UTC