Re: Opting in to cookies - proposal version 3 from Jonas Sicking on 2008-06-20 (public-webapps@w3.org from April to June 2008)

From: Jonas Sicking <jonas@sicking.cc>
Date: Fri, 20 Jun 2008 16:47:17 -0700
To: Ian Hickson <ian@hixie.ch>
CC: Web Applications Working Group WG <public-webapps@w3.org>
Message-ID: <485C4185.8060706@sicking.cc>

Ian Hickson wrote:
> On Fri, 20 Jun 2008, Jonas Sicking wrote:
>> Under the current spec the operator must check each individual PHP
>> script in the part of the site that is shared to make sure that none of
>> them use $_SESSION, $_COOKIE, $HTTP_SESSION_VARS, $_ENV['HTTP_COOKIE'],
>> HttpRequest::getCookies(), any of the session_* functions,
>> $_ENV['REMOTE_USER'], $_ENV['REMOTE_IDENT'], $_ENV['HTTP_AUTHORIZATION'] any
>> of the kadm5_* functions, any of the radius_* functions or anything else that
>> I'm missing that does session management based on user credentials.
>>
>> If any of these things are used then the PHP script is likely mixing private
>> data into the public data and so the script needs to be modified to not use
>> any of the above features when the 'Origin' header is present and has a value
>> different from the current domain.
>>
>> While this is certainly doable, I feel that there is a risk that the site
>> administrator will make a mistake and miss some of the above listed features
>> and cause private data to be leaked.
>>
>> So again, the issue isn't in understanding the spec. The issue is securing
>> your site for the security model that the spec requires.
> 
> That's all well and good, but what if the site author wants to send back 
> some data that _is_ cookie aware? Now he has to go through and do the 
> check anyway. So what's the win?
> 
> I think it's safe to assume that if the site uses cookies at all, that 
> it'll eventually want to provide cross-site access to user data in some 
> way.

Ah, sorry, I think I missed your point here.

I don't think that is unnecessarily true at all. I think one sticking 
point is that I suspect sites will opt in to Access-Control on pages 
they are already serving to their users. So I would not be surprised if 
yahoo opts in on the uri news.yahoo.com URI, or craigslist opt in for 
their full URI space.

In such cases I think it's very possible that sites will opt in on URIs 
that receive and process cookies, but would leak private data if they 
did so with cookies enabled.

/ Jonas

Received on Friday, 20 June 2008 23:47:30 UTC