W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2015

Re: CSP policy to constrain cookies to origin

From: Craig Francis <craig.francis@gmail.com>
Date: Thu, 27 Aug 2015 18:48:21 +0100
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-Id: <6DCECD4A-67D8-4A7B-820D-DBDC9C913351@gmail.com>
To: Erik Nygren <erik+w3@nygren.org>
On 27 Aug 2015, at 18:22, Erik Nygren <erik+w3@nygren.org> wrote:
> Content-Security-Policy: cookie-scope=origin



Would part of this be covered with the First-Party-Only cookies suggestion?

https://tools.ietf.org/html/draft-west-first-party-cookies-03

Which allows the scope to be set on a per cookie basis.

As to blocking cookies on the parent domain, I'm not sure how easily that could be implemented in CSP... I like the idea though.






On 27 Aug 2015, at 18:22, Erik Nygren <erik+w3@nygren.org> wrote:

> I continue to run into cases where it would be extremely valuable to have a CSP policy that constrains cookie setting to an origin or host.  It would be worthwhile to find some way to move this forwards.
> 
> For example, to allow:
>    Content-Security-Policy: cookie-scope=origin
> In particular, there is little that can be done today by a web server to prevent javascript from setting cookies on parent domains.  (The only thing I'm aware of that helps for some clients is to add domains to the Public Suffix List.)
> 
> Such a policy could also allow origins to enforce "Origin Cookie" semantics rather than the historically different semantics that apply to cookies.
> 
> From previous discussion, other cookie scopes might also have value:
> 
>      https://lists.w3.org/Archives/Public/public-webappsec/2013Sep/0046.html
> 
> Best, Erik
> 
> 
> 
Received on Thursday, 27 August 2015 17:48:52 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:14 UTC