W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2013

CSP and cookie header management

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 23 Oct 2013 13:35:45 +0100
Message-ID: <CADnb78gfUCma2FM+4qNVsG7-YLso1q5GXr-fso88buyKMaojag@mail.gmail.com>
To: WebAppSec WG <public-webappsec@w3.org>
Cc: Ian Hickson <ian@hixie.ch>
A while ago Mark suggested cookie restrictions driven by a CSP policy.
This is not that.

This is more akin to the referrer control proposal. Developers want a
way to control cookies
https://www.w3.org/Bugs/Public/show_bug.cgi?id=11235 on outgoing
requests. It strikes me we could potentially do that via CSP rather
than having opt-in flags at each Fetch entry point. Of course, as with
referrer control this makes CSP more about a Fetch policy than a
security policy, but naming has never been our strong suit.

Any solution here would have to address whether cookies are
transmitted while fetching, and whether cookies transmitted with the
response are accepted. The different effects of this are spelled out
here: http://fetch.spec.whatwg.org/#basic-fetch (under http/https).

Anyone been thinking about this?

Received on Wednesday, 23 October 2013 12:36:13 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:03 UTC