Origin-Bound Cookies (OBC) from Amarjot Gill on 2025-10-27 (ietf-http-wg@w3.org from October to December 2025)

From: Amarjot Gill <amarjotgill@google.com>
Date: Mon, 27 Oct 2025 10:15:48 -0400
To: ietf-http-wg@w3.org
Message-ID: <CA+jfCn76zJAX20cgw4YNGVq5L17t_DGCfj9TwV9ozs4ubDotNw@mail.gmail.com>
Hello HTTP Working Group,

Origin-Bound Cookies (OBC) is a mechanism that updates the existing Cookies
specification

https://datatracker.ietf.org/doc/draft-ietf-httpbis-layered-cookies/,
aiming to enhance cookie security by default through binding cookies by
port and scheme. This addresses the current weakness in cookie
confidentiality where cookies are not scoped to the origin by default.

This "default-insecure" behavior can lead to several security
vulnerabilities, as detailed in the examples below:

   -

   Weak Confidentiality: An attacker can read sensitive user data set by a
   secure site if it is unintentionally sent to an insecure site. For
   instance, if https://somesite.com sets a secret cookie, an attacker
   could trick a user into visiting http://somesite.com (note the insecure
   scheme). The browser would then send the secret cookie, allowing the
   attacker to intercept it.
   -

   Weak Integrity: An insecure site, controlled by a network attacker,
   could set a malicious cookie that is then sent to the secure version of
   that site. Similarly, if an attacker compromises a service on a different
   port (e.g., https://somesite.com:345), they could trick the user into
   visiting this compromised port, and the secret cookie would be sent,
   allowing the attacker to read or even modify it.

These issues are caused by the fact that cookies, by default, do not
consider the scheme or port of their connection, making them accessible as
long as the host matches.

To resolve these issues, we propose changes to the Cookies specification by
binding cookies to the port and scheme, which will prevent these attacks
and significantly improve cookie security. The following draft,
"Origin-Bound Cookies," provides more details:

https://datatracker.ietf.org/doc/draft-amarjotgill-origin-bound-cookies-protocol/

The key changes introduced by Origin-Bound Cookies include:

   1.

   Port Bound Behavior: The Cookie Struct will be altered to include a
   "port" attribute, ensuring that a cookie set by https://example.com will
   only be sent to https://example.com(:443) and not to a different port
   like https://example.com:8443. Pre-existing cookies with an unspecified
   "port" will have a null value and be treated with legacy behavior.
   2.

   Scheme Bound Behavior: Similarly, a "scheme" attribute will be added to
   the Cookie Struct. This ensures that a cookie set by https://example.com
   will only be sent to https://example.com and not to http://example.com.
   Pre-existing cookies with an unspecified "scheme" will have a null value
   and be treated with legacy behavior.


Origin-Bound Cookies are considered a net positive for security, mitigating
weak integrity and weak confidentiality. While OBC will obsolete the
purpose of the Secure attribute, this proposal does not remove support for
Secure, which could be a future consideration for the HTTP WG.

I am interested in collecting feedback for Origin-Bound Cookies and would
appreciate hearing the WG's thoughts on possible integration of the draft
into layered-cookies.

Thanks,

Amarjot
Received on Tuesday, 28 October 2025 13:02:46 UTC