W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2016

Re: Call for Consensus: Stop work and transition 3 Working Drafts to Working Group Notes

From: David Ross <drx@google.com>
Date: Wed, 13 Jul 2016 11:42:21 -0700
Message-ID: <CAMM+ux7SfSJ6Lj0VepwpSYcWd2U3g2DDpZguquqfxJqfehg65g@mail.gmail.com>
To: Brad Hill <hillbrad@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
FWIW, I don't think same site cookies substantially diminish the value prop
of EPR.

1)  Same-site cookies don't prevent XSS.  To be clear, I'm not suggesting
that same-site cookies _should_ mitigate XSS, I'm just pointing to value
that EPR provides over and above same-site cookies.  For example, an
attacker might use an XSS in a page that doesn't require auth, then
subsequently attempt a same-site POST to an endpoint that does.  EPR is
valuable defense-in-depth given that other XSS mitigations (namely CSP)
approach this problem space differently.  CSP attempts to regulate what the
page can do whereas EPR attempts to provide a level of isolation.

2)  In order to mitigate XSRF with same site cookies it may be necessary to
opt-in to "strict" mode, which has some drawbacks.  (E.g.: It may require
separate "read" and "write" cookies to avoid compat issues, as per section
5.2 of the Same-site cookie draft RFC.)

In any case, EPR has been stalled for other reasons and I'm not going to
contest the proposed transition.  I just hope that it won't be too hard to
revive it as necessary in the future.

Dave

On Tue, Jul 12, 2016 at 2:33 PM, Brad Hill <hillbrad@gmail.com> wrote:

> This is a call for consensus to transition three Working Drafts of the Web
> Application Security WG to "Working Group Note" status and indicate that
> they are no longer under active development towards the Recommendation
> Track, as discussed at the May F2F and briefly on the list.
>
> The following specifications are proposed for transition:
> ---------------------------------------------------
> Entry Point Regulation
> https://www.w3.org/TR/epr/
>
> Last updated ~1 year ago.
> Reason to transition to Note: Same-site cookies (
> https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00)
> provide much of the intended attack surface reduction more simply
> ---------------------------------------------------
>
>
> ---------------------------------------------------
> CSP Cookie Controls
> https://www.w3.org/TR/csp-cookies/
>
> Last updated ~6 months ago.
> Reason to transition to Note: The Feature Policy proposal (
> https://wicg.github.io/feature-policy/) could be a better home for the
> intended functionality as part of a broader and more coherent approach,
> rather than putting this into CSP.
> ---------------------------------------------------
>
> ---------------------------------------------------
> CSP Pinning
> https://www.w3.org/TR/csp-pinning/
>
> Last updated ~6 months ago.
> Reason to transition to Note: While this kind of feature is still
> considered useful, like Cookie Controls and Feature Policy, the editor
> feels it would be better managed as part of a more generalized strategy for
> header pinning, and as part of that, with a strategy perhaps along the
> lines of a manifest, well-known resource or service worker that doesn't
> incur the cost of sending the pinning header with every request.
> ---------------------------------------------------
>
> This CfC will be discussed on tomorrow's regularly scheduled working group
> teleconference (agenda to follow shortly on this list) and will close on
> Friday, 22-July-2016.
>
> Positive responses encouraged, silence is consent.
>
> Thank you,
>
> Brad Hill
>
>
Received on Wednesday, 13 July 2016 18:43:10 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:20 UTC