W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2013

Re: Adding cookie scope to CSP

From: Erik Nygren <erik+w3@nygren.org>
Date: Tue, 17 Sep 2013 13:41:22 -0400
Message-ID: <CAKC-DJiew8f=1Z1zGvLaySCg5tTm9FdCEJCCFWXQmbSeN50BJQ@mail.gmail.com>
To: "Nottingham, Mark" <mnotting@akamai.com>
Cc: Trevor Perrin <trevp@trevp.net>, Tobias Gondrom <tobias.gondrom@gondrom.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Having the webserver ignore untrusted cookies is also not adequate.
Some of the things we want to protect against (not a complete list):

1) Content on one host setting a cookie that gets sent for every HTTP
request to the domain:
1a) Performance or availability issues across hosts in the domain if
the number of cookies set gets to be too big (as cookies set on the
domain are sent to all hosts in the domain, including hosts that don't
want to get those cookies).
1b) Potential privacy or compliance issues caused by this.  (Content
from host in the domain can cause cookies to be sent with information
that other hosts in the domain may not want to see from a
privacy/compliance perspective.)
1c) Potential attack vectors against other websites in the domain (eg,
enabling CSRF attacks against some types of buggy software)

2) Content on one host deleting or modifying cookies set on the domain.

A webserver is able to protect against these today for cookies set via
"Set-Cookie", but is unable to protect against content that it has
served from doing any of these.  The CSP approach allows a webserver
to instruct the client that the content is untrusted and shouldn't be
allowed to do any of these.

There is a separate issue about blocking the visibility of cookies to
untrusted content that is within the scope of a host/origin/domain,
but that wasn't really the problem this proposal was trying to solve.

   Erik


On Mon, Sep 16, 2013 at 11:02 PM, Nottingham, Mark <mnotting@akamai.com> wrote:
>>> In contrast, if a webserver sets "origin" cookies at
>> "webmail.example.com" and ignores non-origin cookies, then it becomes
>> immune to whatever related domains do with cookies.  It doesn't have
>> to declare new CSP policies on related domains, and it gets protection
>> against all related-domain attacks, not just javascript.
Received on Tuesday, 17 September 2013 17:41:49 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:02 UTC