W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2013

Re: Adding cookie scope to CSP

From: Trevor Perrin <trevp@trevp.net>
Date: Mon, 16 Sep 2013 19:06:19 -0700
Message-ID: <CAGZ8ZG0v_VYBMm8cyaBMRKJQrPCquM=nn8uHkws9UWLzJF3L0g@mail.gmail.com>
To: Erik Nygren <erik+w3@nygren.org>
Cc: "Nottingham, Mark" <mnotting@akamai.com>, Tobias Gondrom <tobias.gondrom@gondrom.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Sat, Sep 14, 2013 at 7:45 AM, Erik Nygren <erik+w3@nygren.org> wrote:
>
> In particular, a frustrating aspect
> of cookies today is that they follow a different set of rules than one
> might expect from Origin policies.  While this is necessary, there are
> cases where being able to limit cookies set by content to obey origin
> policies would be highly valuable.

Agreed that origin scoping of cookies would be valuable.

But doesn't it make more sense to declare this policy for the cookies
you're trying to protect (e.g. "Origin Cookies"), than to declare it
on every page that might attack the cookies you're trying to protect?

Every host under a public suffix can set cookies which are sent to all
other hosts under that suffix.  So to protect cookies on
"webmail.example.com" with CSP, you'd have to worry about CSP policy
for every page under "example.com".  And this still wouldn't protect
you from rogue, hacked, or MITM-invented webservers under
"example.com".

In contrast, if a webserver sets "origin" cookies at
"webmail.example.com" and ignores non-origin cookies, then it becomes
immune to whatever related domains do with cookies.  It doesn't have
to declare new CSP policies on related domains, and it gets protection
against all related-domain attacks, not just javascript.


Trevor
Received on Tuesday, 17 September 2013 02:06:47 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:02 UTC