On Mon, Sep 28, 2015 at 4:56 PM, henry.story@bblfish.net <
henry.story@bblfish.net> wrote:
> This whole wiki page has so many problems it's effectively a gish gallop*,
> preventing meaningful conversation because no one could possibly respond to
> all of the problems.
>
>
> Just start with one or two you find will make your case the best.
>
Well, here's some text I assumed you added in response to my criticisms of
the document originally saying that cookies follow SOP:
Cookies, as specified by RFC6265: HTTP State Management Mechanism
<http://tools.ietf.org/html/rfc6265> implement a fuzzy notion of single
origin. We can distinguish two notions of Single Origin:
- a strong notion of Single Origin where two origins are identical only
if they are named by the same protocol, domain, port triple
- a weak notion of Single Origin where the two origins are identical if
they refer to the same agent.
It's not the "Single Origin policy", it's the *same-origin policy*.
Furthermore, there is no "strong" or "weak" notion of it. The origin *must
be the same*.
Regarding RFC-6265, let's see what it actually has to say:
For historical reasons, cookies contain a number of security and
privacy infelicities. For example, a server can indicate that a
given cookie is intended for "secure" connections, but the Secure
attribute does not provide integrity in the presence of an active
network attacker. Similarly, cookies for a given host are shared
across all the ports on that host, even though the usual "same-origin
policy" used by web browsers isolates content retrieved via different
ports.
RFC-6265 is in effect telling us that cookies are broken because a long
time ago Netscape made some bad decisions.
> Perhaps we can start simple:
> - what definition of SOP do you use, or do you think we should use? I
> cited the IETF RFC defining SOP which I read carefully.
>
It's pretty simple. First, it's the "same-origin policy". Second, it works
like this:
Scheme/Protocol: Identical
Host: Identical
Port: Identical
Anything besides this is not following SOP.
--
Tony Arcieri