- From: Erik Nygren <erik+w3@nygren.org>
- Date: Tue, 17 Sep 2013 13:41:22 -0400
- To: "Nottingham, Mark" <mnotting@akamai.com>
- Cc: Trevor Perrin <trevp@trevp.net>, Tobias Gondrom <tobias.gondrom@gondrom.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Having the webserver ignore untrusted cookies is also not adequate. Some of the things we want to protect against (not a complete list): 1) Content on one host setting a cookie that gets sent for every HTTP request to the domain: 1a) Performance or availability issues across hosts in the domain if the number of cookies set gets to be too big (as cookies set on the domain are sent to all hosts in the domain, including hosts that don't want to get those cookies). 1b) Potential privacy or compliance issues caused by this. (Content from host in the domain can cause cookies to be sent with information that other hosts in the domain may not want to see from a privacy/compliance perspective.) 1c) Potential attack vectors against other websites in the domain (eg, enabling CSRF attacks against some types of buggy software) 2) Content on one host deleting or modifying cookies set on the domain. A webserver is able to protect against these today for cookies set via "Set-Cookie", but is unable to protect against content that it has served from doing any of these. The CSP approach allows a webserver to instruct the client that the content is untrusted and shouldn't be allowed to do any of these. There is a separate issue about blocking the visibility of cookies to untrusted content that is within the scope of a host/origin/domain, but that wasn't really the problem this proposal was trying to solve. Erik On Mon, Sep 16, 2013 at 11:02 PM, Nottingham, Mark <mnotting@akamai.com> wrote: >>> In contrast, if a webserver sets "origin" cookies at >> "webmail.example.com" and ignores non-origin cookies, then it becomes >> immune to whatever related domains do with cookies. It doesn't have >> to declare new CSP policies on related domains, and it gets protection >> against all related-domain attacks, not just javascript.
Received on Tuesday, 17 September 2013 17:41:49 UTC