W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2018

Re: Cookie controls?

From: Artur Janc <aaj@google.com>
Date: Fri, 17 Aug 2018 14:43:34 -0700
Message-ID: <CAPYVjqrLgKGPDQ8_FTdF=yOjB1vk7xDq5=x9+8bga5s8fBOHUg@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Devdatta Akhawe <dev.akhawe@gmail.com>, Yoav Weiss <yoav@yoav.ws>, erik@nygren.org, WebAppSec WG <public-webappsec@w3.org>
Regarding alternatives, what are the constraints that prevent you from
putting the CDN domain on the public suffix list (https://publicsuffix.org)?
AFAIK many sites which have registrable domains with subdomains hosting
user-controlled content use the PSL to prevent the cookie clashes you're
talking about -- some prominent examples include appspot.com, blogspot.com
and github.io.

Cheers,
-Artur

On Fri, Aug 17, 2018 at 12:38 AM Mike West <mkwst@google.com> wrote:

> To answer Yoav's questions:
>
> 1.  I stopped working on CSP's cookie controls because I thought it would
> be folded into Feature Policy. That didn't happen.
> 2.  There are no alternatives that I know of which give you the guarantees
> you're looking for. Perhaps we should build some.
>
> This seems like a reasonable kind of problem to address, but if we build
> something, let's not put it into CSP. I'm very interested in calling CSP3
> done, and never touching it again. :) Erik's `Limit-Cookies` header sounds
> fine (I'd prefer for it to live in origin policy, actually, but that's
> something of a mid-term project in itself).
>
> Dev's suggestion that we lean on prefixes sounds reasonable to me. That
> is, the limits we express could be prohibitions against sending/setting
> non-prefixed cookies (or setting cookies at all). I'd caution against
> saying that we could "constrain cookies to the Origin model", though:
> cookies don't respect ports, and given the not-terribly-enthusiastic
> response that https://tools.ietf.org/html/draft-west-origin-cookies-01
> got, I expect that `__Host-` is going to be the best that we can do.
>
> -mike
>
>
> On Fri, Aug 17, 2018 at 6:44 AM Devdatta Akhawe <dev.akhawe@gmail.com>
> wrote:
>
>> Not sure I understand. Javascript can't set a __Host cookie that is
>> broader context than the current host either. Do you want to do this for
>> applications where changing the application to use __Host cookies is not
>> possible (and thus, you want a header that can be added by a proxy in the
>> middle)?
>>
>> Also, slight clarification: if I am not wrong, a __Host cookie is still
>> not tied to origins. A __Host cookie on foo.bar.com will also go to
>> baz.foo.bar.com.
>>
>> --dev
>>
>>
>>
>> On 16 August 2018 at 19:17, Erik Nygren <erik@nygren.org> wrote:
>>
>>> I think my primary use-case is covered if we define a way to allow
>>> servers and/or origins to force Cookies to conform to the Origin model.
>>> (Being able to indicate that cookies are prohibited on an Origin is perhaps
>>> a secondary use-case.)
>>>
>>> Providing an ability to constrain cookies to the Origin model for a
>>> given Origin (and/or to prohibit them entirely) would help normalize some
>>> of the pain associated with cookies.
>>> Defining a simple header focused specifically on this use-case as part
>>> of 6265bis might be be one possible path, and that aligns with some of the
>>> other goals of 6265bis (eg, the introduction of __Host cookies).  For
>>> example, a response header of:
>>>
>>>     Limit-Cookies: origin
>>>     Limit-Cookies: none
>>>
>>> that would either be a sticky attribute to that origin and/or host
>>> (likely up to some expiry) or would apply to any active content resulting
>>> from the object associated with that response header.
>>>
>>> The challenge is that there's no way for a server to constrain all
>>> cookies to be __Host cookies (or otherwise be same-origin cookies) as
>>> javascript running within that origin context can choose to set cookies on
>>> something broader than the Origin.
>>>
>>>        Erik
>>>
>>>
>>>
>>> On Thu, Aug 16, 2018 at 9:37 PM, Devdatta Akhawe <dev.akhawe@gmail.com>
>>> wrote:
>>>
>>>> Hey Yoav
>>>>
>>>> Would __Host cookies help here? Maybe I am missing something about the
>>>> problem but it feels like they should.
>>>>
>>>> --Dev
>>>>
>>>> On 16 August 2018 at 01:41, Yoav Weiss <yoav@yoav.ws> wrote:
>>>>
>>>>> Hello folks!
>>>>>
>>>>> Akamai has ran into some issues with cookies where Cookie Controls
>>>>> <https://w3c.github.io/webappsec-csp/cookies/> would've been
>>>>> extremely helpful. Digging up the issues that lead to its obsoletion didn't
>>>>> reveal much reasoning, so I'm wondering why is was rendered obsolete, and
>>>>> whether there are alternative proposed mechanisms to replace it.
>>>>>
>>>>> Our use case is providing customers traffic delivery in
>>>>> customer-controlled subdomain of an Akamai domain. An example of that would
>>>>> be cdnexampledomain.com where foo.cdnexampledomain.com and
>>>>> bar.cdnexampledomain.com are customer-controlled.
>>>>> The concern is that each of these subdomains can set cookies on the
>>>>> cdnexampledomain.com domain, polluting the shared namespace, and
>>>>> sending cookies to domains outside their control.
>>>>>
>>>>> While Akamai can filter header based cookies on those domains, it
>>>>> cannot prevent JS from adding such cookies.
>>>>>
>>>>> We would be interested in a header that we can set, and which can
>>>>> prevent those subdomains from setting cookies on the parent domain, while
>>>>> enabling them to continue to set whatever cookies they need on the
>>>>> subdomain itself.
>>>>>
>>>>> When mentioning this use-case on the call yesterday, suborigins
>>>>> <https://w3c.github.io/webappsec-suborigins> was raised as a
>>>>> potential solution for this use-case, but looking at the draft, I'm not
>>>>> sure how it would without making those subdomain documents cookie-averse,
>>>>> and make it so they can't set cookies from JS at all (which may not be
>>>>> compatible with current, non-malicious content on those domains).
>>>>> But it's fairly possible that I'm Holding It Wrong™.
>>>>>
>>>>> I also realize that we want to move away from cookies
>>>>> <https://github.com/mikewest/http-state-tokens>, which would be
>>>>> great, but in the {short,mid}-term they'd probably still be around, so
>>>>> better control mechanisms can be very helpful.
>>>>>
>>>>> To sum up, my questions are:
>>>>> * Why was Cookie Controls obsoleted?
>>>>> * Are there any alternatives? Otherwise, can it be revived?
>>>>>
>>>>> Cheers :)
>>>>> Yoav
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
Received on Friday, 17 August 2018 21:44:14 UTC

This archive was generated by hypermail 2.3.1 : Friday, 17 August 2018 21:44:15 UTC