Re: Opting in to cookies - proposal version 3 from Jonas Sicking on 2008-06-20 (public-webapps@w3.org from April to June 2008)

From: Jonas Sicking <jonas@sicking.cc>
Date: Thu, 19 Jun 2008 17:03:19 -0700
To: Ian Hickson <ian@hixie.ch>
CC: Web Applications Working Group WG <public-webapps@w3.org>
Message-ID: <485AF3C7.30200@sicking.cc>

Ian Hickson wrote:
> On Thu, 19 Jun 2008, Jonas Sicking wrote:
>>> This only helps with servers that have same-domain pages that accept 
>>> cookies, but have no cross-domain pages that accept cookies, ever 
>>> (since if any of the cross-domain pages accept cookies, then our 
>>> initial assumption -- that the site author makes a mistake and his 
>>> site reacts to cookies in third-party requests by doing bad things -- 
>>> means that he's lost).
>> How so. Sites that have a combination of private and public data can, 
>> and hopefully will, only set the Access-Control-With-Credentials header 
>> for the parts that serve private data. It needs to apply different 
>> opt-in policies here anyway since it needs to ask the user before 
>> sharing any of his/her data.
> 
> The scenario we are trying to address is the scenario where an author has 
> accidentally allowed cross-site access to a part of the site that gives 
> users abilities if they provide valid credentials, to prevent other sites 
> from pretending to be the user and acting in a user-hostile way as if on 
> the user's behalf.
> 
> Thus we are assuming that if a cookie is sent to the server with a 
> cross-site request, the server will be vulnerable. That is the fundamental 
> assumption.
> 
> Now, we can work around that by making it that authors don't accept 
> cookies for cross-site requests, but only accept them from same-site 
> requests. That works, because our assumption only relates to cross-site 
> requests that _do_ include cookies.
> 
> If the server then opts-in to receiving cookies, then the server will 
> receive cookies. Our assumption is that if a cookie is sent to the server 
> with a cross-site request, the server will be vulnerable. Thus the server 
> is now again vulnerable.
> 
> We can't pretend that the author will make a mistake if they always 
> receive cookies but then assume that the author will suddenly stop making 
> mistakes when we provide them with a way to opt-in to cookies. Either the 
> author is going to make mistakes, or he isn't. We have to be consistent in 
> our threat assessment.

Yes, if they only do that then they will be vulnerable.

The site is as always responsible for asking the user before allowing 
third-party access to private data, and yes, if they fail to do so 
properly they will be vulnerable.

/ Jonas

Received on Friday, 20 June 2008 00:03:25 UTC