W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2018

Cookie controls?

From: Yoav Weiss <yoav@yoav.ws>
Date: Thu, 16 Aug 2018 10:41:42 +0200
Message-ID: <CACj=BEhuM_DpOBt0P1AGqH308Kupg5afJScAMbG_Psbh8wMDaw@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>, Erik Nygren <erik@nygren.org>
Hello folks!

Akamai has ran into some issues with cookies where Cookie Controls
<https://w3c.github.io/webappsec-csp/cookies/> would've been extremely
helpful. Digging up the issues that lead to its obsoletion didn't reveal
much reasoning, so I'm wondering why is was rendered obsolete, and whether
there are alternative proposed mechanisms to replace it.

Our use case is providing customers traffic delivery in customer-controlled
subdomain of an Akamai domain. An example of that would be
cdnexampledomain.com where foo.cdnexampledomain.com and
bar.cdnexampledomain.com are customer-controlled.
The concern is that each of these subdomains can set cookies on the
cdnexampledomain.com domain, polluting the shared namespace, and sending
cookies to domains outside their control.

While Akamai can filter header based cookies on those domains, it cannot
prevent JS from adding such cookies.

We would be interested in a header that we can set, and which can prevent
those subdomains from setting cookies on the parent domain, while enabling
them to continue to set whatever cookies they need on the subdomain itself.

When mentioning this use-case on the call yesterday, suborigins
<https://w3c.github.io/webappsec-suborigins> was raised as a potential
solution for this use-case, but looking at the draft, I'm not sure how it
would without making those subdomain documents cookie-averse, and make it
so they can't set cookies from JS at all (which may not be compatible with
current, non-malicious content on those domains).
But it's fairly possible that I'm Holding It Wrong™.

I also realize that we want to move away from cookies
<https://github.com/mikewest/http-state-tokens>, which would be great, but
in the {short,mid}-term they'd probably still be around, so better control
mechanisms can be very helpful.

To sum up, my questions are:
* Why was Cookie Controls obsoleted?
* Are there any alternatives? Otherwise, can it be revived?

Cheers :)
Yoav
Received on Thursday, 16 August 2018 08:42:17 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 16 August 2018 08:42:18 UTC