- From: Trevor Perrin <trevp@trevp.net>
- Date: Mon, 16 Sep 2013 19:06:19 -0700
- To: Erik Nygren <erik+w3@nygren.org>
- Cc: "Nottingham, Mark" <mnotting@akamai.com>, Tobias Gondrom <tobias.gondrom@gondrom.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Sat, Sep 14, 2013 at 7:45 AM, Erik Nygren <erik+w3@nygren.org> wrote: > > In particular, a frustrating aspect > of cookies today is that they follow a different set of rules than one > might expect from Origin policies. While this is necessary, there are > cases where being able to limit cookies set by content to obey origin > policies would be highly valuable. Agreed that origin scoping of cookies would be valuable. But doesn't it make more sense to declare this policy for the cookies you're trying to protect (e.g. "Origin Cookies"), than to declare it on every page that might attack the cookies you're trying to protect? Every host under a public suffix can set cookies which are sent to all other hosts under that suffix. So to protect cookies on "webmail.example.com" with CSP, you'd have to worry about CSP policy for every page under "example.com". And this still wouldn't protect you from rogue, hacked, or MITM-invented webservers under "example.com". In contrast, if a webserver sets "origin" cookies at "webmail.example.com" and ignores non-origin cookies, then it becomes immune to whatever related domains do with cookies. It doesn't have to declare new CSP policies on related domains, and it gets protection against all related-domain attacks, not just javascript. Trevor
Received on Tuesday, 17 September 2013 02:06:47 UTC