Re: Opting in to cookies - proposal version 3 from Ian Hickson on 2008-06-20 (public-webapps@w3.org from April to June 2008)

From: Ian Hickson <ian@hixie.ch>
Date: Fri, 20 Jun 2008 00:53:25 +0000 (UTC)
To: Jonas Sicking <jonas@sicking.cc>
Cc: Web Applications Working Group WG <public-webapps@w3.org>
Message-ID: <Pine.LNX.4.62.0806200050110.13974@hixie.dreamhostps.com>

On Thu, 19 Jun 2008, Jonas Sicking wrote:
> > 
> > So I guess I don't really understand what your proposal solves, then. 
> > It seems like a lot of complexity for only a very minimal gain in only 
> > one very specific scenario (the site doesn't ever return cookie-based 
> > data cross-site). We're still relying on the author not making 
> > mistakes, despite "the author will make a mistake" being our 
> > underlying assumption. If the site has to know to not include the 
> > cookie opt-in header, why not just have the site ignore the cookies? 
> > (It also introduces the problems that Maciej mentioned, which I think 
> > are valid problems.)
> 
> Well, we are talking about two very different types of misstakes, which 
> I think have very different likelyhoods of happening. If I understand 
> you correctly.
> 
> One misstake is having URIs in the URI space where you opt in to 
> Access-Control which serve private data without you realizing it.
> 
> The other mistake is intentionally publishing private data but 
> forgetting to ask your users first before doing so.
> 
> Seems to me that the former is a lot more likely than the latter.

Right but the mistake that we're not doing anything about and which seems 
likely to be far more common than either of those is:

Having URIs in the URI space where you opt in to Access-Control _and_ opt 
in to cookies which serve or affect private data without you realizing it.

That is, your solution only works so long as the site doesn't ever opt in 
to cookies. Which seems uncommon.

(I'm assuming that the case of providing data cross-domain for simple GET 
requests is most easily handled just by having that script send back the 
right magic, in which case none of this applies as the URI space is one 
URI and there are no preflights at all. For this use case we don't have 
to worry about cookies at all as the server just wouldn't look at them.)

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Friday, 20 June 2008 00:54:04 UTC