W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2018

Re: [CSP3] Suggestion for COOKIE directive

From: John Wilander <wilander@apple.com>
Date: Wed, 24 Oct 2018 08:45:55 -0700
Cc: public-webappsec@w3.org
Message-id: <F8FA2668-6A14-4102-A05F-5EBA37D3B03B@apple.com>
To: Matt Rosenquist <mattrq@gmail.com>
Hi Matt!

> On Oct 23, 2018, at 12:31 PM, Matt Rosenquist <mattrq@gmail.com> wrote:
> 
> Hi,
> 
> I would like to suggest a set of new directives for the content security policy which would allow the site to limit access to cookies. 
> 
> This may be is three forms (first being the most important):
> - cookie-src (read/write)
> - cookie-read (readonly)
> - cookie-write (write only)

I assume you mean same-origin things, that is, controlling whether cross-site requests get cookies and cross-site iframes get access to their document.cookie. Correct?

Would the defaults be no access?

> The main reason to add this directive would be away to allow site owners to ensure that their content policies align with the technologies and tools used on the site both with client run scripts and server side cookie handling. 
> 
> Other benefits would be greater security, specially around limiting data tracking to one intended parties / scripts.  Additionally greater possible transparency to the user to how cookies are used.

Some browsers already restrict third-party cookie access by default and would not want to relax the restriction based on what a specific page says. So a page’s CSP could only serve as a minimum restriction on cookies.

   Regards, John
Received on Wednesday, 24 October 2018 15:46:20 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 24 October 2018 15:46:21 UTC