W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2015

CSP policy to constrain cookies to origin

From: Erik Nygren <erik+w3@nygren.org>
Date: Thu, 27 Aug 2015 13:22:29 -0400
Message-ID: <CAKC-DJgJVLaPUYva4O0qX4GG4GCq0GZXP4RyFhUcsysiD1Zmng@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
I continue to run into cases where it would be extremely valuable to have a
CSP policy that constrains cookie setting to an origin or host.  It would
be worthwhile to find some way to move this forwards.

For example, to allow:

   Content-Security-Policy: cookie-scope=origin

In particular, there is little that can be done today by a web server to
prevent javascript from setting cookies on parent domains.  (The only thing
I'm aware of that helps for some clients is to add domains to the Public
Suffix List.)

Such a policy could also allow origins to enforce "Origin Cookie" semantics
rather than the historically different semantics that apply to cookies.

>From previous discussion, other cookie scopes might also have value:

     https://lists.w3.org/Archives/Public/public-webappsec/2013Sep/0046.html

Best, Erik
Received on Thursday, 27 August 2015 17:22:56 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:14 UTC