W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2015

Re: CSP policy to constrain cookies to origin

From: Erik Nygren <erik+w3@nygren.org>
Date: Thu, 27 Aug 2015 13:55:10 -0400
Message-ID: <CAKC-DJjYH5_sewCEfLD2DbDxe+9_pNJm1++GVfkfVm-iJc-dXQ@mail.gmail.com>
To: Craig Francis <craig.francis@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Mike's First-Party-Only cookie proposal allows those setting cookies to
constrain them,
but does nothing (unless I'm misreading) to prevent cookies from being set
that aren't First-Party-Only.
One way to structure the Content-Security-Policy to force or upgrade any
cookie setting by document.cookie
to be First-Party-Only.

I also just found this issue on the topic:
https://github.com/w3c/webappsec/issues/432


On Thu, Aug 27, 2015 at 1:48 PM, Craig Francis <craig.francis@gmail.com>
wrote:

> On 27 Aug 2015, at 18:22, Erik Nygren <erik+w3@nygren.org> wrote:
>
> Content-Security-Policy: cookie-scope=origin
>
>
>
> Would part of this be covered with the First-Party-Only cookies suggestion?
>
> https://tools.ietf.org/html/draft-west-first-party-cookies-03
>
> Which allows the scope to be set on a per cookie basis.
>
> As to blocking cookies on the parent domain, I'm not sure how easily that
> could be implemented in CSP... I like the idea though.
>
>
>
>
>
>
> On 27 Aug 2015, at 18:22, Erik Nygren <erik+w3@nygren.org> wrote:
>
> I continue to run into cases where it would be extremely valuable to have
> a CSP policy that constrains cookie setting to an origin or host.  It would
> be worthwhile to find some way to move this forwards.
>
> For example, to allow:
>
>    Content-Security-Policy: cookie-scope=origin
>
> In particular, there is little that can be done today by a web server to
> prevent javascript from setting cookies on parent domains.  (The only thing
> I'm aware of that helps for some clients is to add domains to the Public
> Suffix List.)
>
> Such a policy could also allow origins to enforce "Origin Cookie"
> semantics rather than the historically different semantics that apply to
> cookies.
>
> From previous discussion, other cookie scopes might also have value:
>
>
> https://lists.w3.org/Archives/Public/public-webappsec/2013Sep/0046.html
>
> Best, Erik
>
>
>
>
>
Received on Thursday, 27 August 2015 17:55:39 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:14 UTC