W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2015

Re: CSP policy to constrain cookies to origin

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Fri, 28 Aug 2015 13:52:08 -0700
Message-ID: <CAPfop_2FuAx9QfKkUdxr=ONAonfxdmLrkkrXLvGs1kOnwsxLtw@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Erik Nygren <erik+w3@nygren.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
+1 to this. I would find this very useful and likely adopt it as soon
as it is available.

On 27 August 2015 at 22:02, Mike West <mkwst@google.com> wrote:
> On Thu, Aug 27, 2015 at 7:22 PM, Erik Nygren <erik+w3@nygren.org> wrote:
>>
>> From previous discussion, other cookie scopes might also have value:
>>
>>
>> https://lists.w3.org/Archives/Public/public-webappsec/2013Sep/0046.html
>
>
> Ah, September 2013. One of the several times at which I thought that CSP2
> was done and ready to ship. How absurd and naïve in hindsight. I didn't do a
> good job driving things to completion, as is likely quite obvious from the
> 2-year gap between then and now.
>
> I still like mnot's proposal, and I think it does indeed address the
> concerns of folks like sandstorm.io. I intend to add something like it to
> CSP3. I'm not sure that the extensions proposed (path, etc) are useful, and
> tend towards thinking that we should avoid improving support for the cookie
> properties that don't mesh well with web origins.
>
> Relatedly, we'll likely also want something to control `document.domain`.
> It's possible, in fact, that these two things are really the same. That is,
> anyone who would want to lock `document.cookie` to the current host would
> likely also want to lock `document.domain`. We could certainly add separate
> syntax for this if desired, but combining them seems like it might be
> reasonable.
>
> -mike
>
> --
> Mike West <mkwst@google.com>, @mikewest
>
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany,
> Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft:
> Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Friday, 28 August 2015 20:52:56 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:14 UTC