W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2015

Re: CSP policy to constrain cookies to origin

From: Mike West <mkwst@google.com>
Date: Fri, 28 Aug 2015 07:02:18 +0200
Message-ID: <CAKXHy=faqNwty_8pqCpKsrcxJAJBmbK=9H+Dpw66BpQnF1BuZA@mail.gmail.com>
To: Erik Nygren <erik+w3@nygren.org>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Aug 27, 2015 at 7:22 PM, Erik Nygren <erik+w3@nygren.org> wrote:
> From previous discussion, other cookie scopes might also have value:
> https://lists.w3.org/Archives/Public/public-webappsec/2013Sep/0046.html

Ah, September 2013. One of the several times at which I thought that CSP2
was done and ready to ship. How absurd and naïve in hindsight. I didn't do
a good job driving things to completion, as is likely quite obvious from
the 2-year gap between then and now.

I still like mnot's proposal, and I think it does indeed address the
concerns of folks like sandstorm.io. I intend to add something like it to
CSP3. I'm not sure that the extensions proposed (path, etc) are useful, and
tend towards thinking that we should avoid improving support for the cookie
properties that don't mesh well with web origins.

Relatedly, we'll likely also want something to control `document.domain`.
It's possible, in fact, that these two things are really the same. That is,
anyone who would want to lock `document.cookie` to the current host would
likely also want to lock `document.domain`. We could certainly add separate
syntax for this if desired, but combining them seems like it might be


Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Friday, 28 August 2015 05:03:06 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:50 UTC