Re: Opting in to cookies - proposal from Maciej Stachowiak on 2008-06-19 (public-webapps@w3.org from April to June 2008)

From: Maciej Stachowiak <mjs@apple.com>
Date: Thu, 19 Jun 2008 08:38:33 -0700
To: Jonas Sicking <jonas@sicking.cc>
Cc: public-webapps@w3.org
Message-Id: <4BF05CE7-9ECA-4973-9E98-CE95B57415A8@apple.com>
On Jun 14, 2008, at 4:23 AM, Jonas Sicking wrote:
>
>
>> I must say though, this is starting to sound complex and I am not  
>> totally convinced of the need to make servers opt in to getting  
>> cookies. Is it really a likely mistake that someone would take  
>> affirmative steps to enable cross-site access to a per-user  
>> resource, but then neglect to check whether requests are cross-site  
>> and act appropriately?
>
> I do think there is a big risk of that yes. I do think that many  
> sites that today serve public data do have a few pages in there  
> which contain forms or other pages that serve user specific data.
>
> Even something as simple as a news site that largely serves public  
> news articles might have a cookie where the user has chosen a home  
> location for local news. This is the case on the news site I use for  
> example, it usually just serves a standard list of news, but if I  
> give it my home zip code, it will additionally serve a section of  
> local news.

I guess I don't see that as a huge risk. In the case of the  
hypothetical news site, if it is handing out news in some kind of data  
feed format, wouldn't the point of access-control be to give the  
personalized feed? After all, you could otherwise use server-to-server  
communication to get the public data.

>
> This is something that could very easily be overlooked by an  
> administrator that just configures his server to add a "Access- 
> Control: allow<*>" header using a site-wide configuration file,  
> without going through all CGI scripts on the server and teaching the  
> ones that honor cookies to ignore the cookies for cross-site requests.

No site should add "Access-Control: allow<*>" site-wide! I mean, I  
guess it's possible people will do this, but people could add "Access- 
Control-Allow-Credentials" site-wide too. And if we add "Access- 
Control-Allow-Credentials-I-Really-Mean-It", they'll add even more.

Basically the part of this that worries me is that it requires  
agreement between the client and the server, but those are expected to  
be controlled by different parties in many cases. If our favorite news  
site starts out only offering unpersonalized news feeds to other  
sites, but then wants to use cookies to personalize, then all existing  
clients of its cross-site data must change. That seems like a huge  
burden. Worse yet, if the site changes its mind in the other  
direction, existing clients break completely.

>
>> And if the administrator of such a server thoughtlessly enabled  
>> cross-site access without thinking about the consequences, would  
>> they not be equally likely to enable cross-site cookies without  
>> thinking about the consequences?
>
> Not more likely than someone adding any other header without knowing  
> what it does. This is why I designed my proposal such that opting in  
> to cookies is a separate "step".

But you are expecting people to add Access-Control without knowing  
what it does.

>> It seems like we are adding a lot of complexity (and therefore more  
>> opportunity for implementation mistakes) for a marginal reduction  
>> in the likelihood of server configuration errors.
>
> I think the ability to separate sharing of private data from sharing  
> of public data is a huge help for server operators. So I think this  
> is much more than a marginal reduction of configuration errors.

The possibility of making this separation is there - simply ignore  
Cookie and/or Authorization headers when Access-Control-Origin is  
present. So this opt-in doesn't offer a new capability, just changes  
the defaults.

After reviewing your comments, I am much more inclined to favor  
Microsoft's proposal on this: rename the relevant headers. I think you  
argued that this "doesn't scale", but I think only two headers have to  
be renamed, "Cookie" and "Authorization". Note that other  
authentication-related headers, if any, do not need to be renamed,  
because without the "Authorization" header being present, no other  
authentication processing will take place. If the headers have  
different names, it's very hard to reveal private data accidentally.  
No site-wide blanket addition with headers will cause it, you have to  
go out of your way to process an extra header and treat it the same as  
"Cookie". It would allow allow servers to choose whether to offer  
personalized or public data and change their mind at any time, without  
having to change clients of the data. It would also work for inclusion  
of cross-site data via mechanisms that don't have a convenient way to  
add an out of band flag.

The only downside I can think of to this approach is that it may break  
load balancers that look at cookies, unless they are changed to also  
consider the new header ("Cross-Site-Cookie"?).

> I asked this in a separate thread already, but have you guys at  
> apple had your security people look through the spec. Were they  
> comfortable both with always sending cookies as well as always  
> enabling all HTTP methods and headers?

I am one of Apple's security people, at least with respect to browser  
stuff. We do our best to coordinate with other security experts at the  
company as well.

Regards,
Maciej
Received on Thursday, 19 June 2008 15:39:15 UTC