Adding cookie scope to CSP from Nottingham, Mark on 2013-09-10 (public-webappsec@w3.org from September 2013)

From: Nottingham, Mark <mnotting@akamai.com>
Date: Tue, 10 Sep 2013 08:07:01 -0500
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <379150B4-0572-47A6-9159-BD7FE3014AF1@akamai.com>

Hello Webappsec,

I've been talking to a few folks about the issues around cookie scoping that Github ran into:
<https://github.com/blog/1452-new-github-pages-domain-github-io>

This seems like a problem that's common to most sites hosting user-generated content using subdomains, and it seems like a new CSP directive might help things, at least over time.

As such, I'd like to propose a straw-man addition to CSP 1.1 to modify the algorithm for determining whether a cookie is host-only. Please understand that this isn't a final proposal, so don't get stuck on any particular detail; what's interesting is whether people want to address this with CSP.

---8<---

cookie-scope

The cookie-scope directive restricts the allowable domain(s) for cookies
[RFC6265] set by content. The syntax for the name and value of the directive
are described by the following ABNF grammar:

directive-name = "cookie-scope"
directive-value = "host" / "domain"

Let cookie be the result of step 6 in the algorithm described by Section 5.3 of
[RFC6265], when a user-agent is processing a cookie set by content.

When the directive-value is "host", and the cookie's host-only-flag is false,
the user-agent MUST ignore the cookie entirely and abort the algorithm.

Otherwise, the algorithm is continued.

Usage

This section is non-normative.

Cookies can be set across different hosts in a domain; for example,
login.example.com can set a cookie that's visible to sports.example.com. While
this is useful when these different hostnames are under the control of one
party, it is problematic when a site uses hosts in the same domain for
"user-generated" content; e.g., bob.example.net and alice.example.net.

While hosts of such sites can control what cookies are set with HTTP headers by
filtering them, it is more difficult to do so for those cookies set by content.

The cookie-scope directive allows these sites to control the cookies set by
content, limiting them to a single host where appropriate:

Content-Security-Policy: cookie-scope=host

--->8---

Regards,

--
Mark Nottingham mnot@akamai.com http://www.mnot.net/

Attachments

application/pkcs7-signature attachment: smime.p7s

Received on Tuesday, 10 September 2013 13:07:24 UTC