W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2018

Re: [CSP3] Suggestion for COOKIE directive

From: Daniel Veditz <dveditz@mozilla.com>
Date: Wed, 24 Oct 2018 22:15:40 +0200
Message-ID: <CADYDTCCyU6W_FsjCCrEoJZHaKTAWGJjY__FOqpnrvWRFf6raNA@mail.gmail.com>
To: mattrq@gmail.com
Cc: WebAppSec WG <public-webappsec@w3.org>
On Wed, Oct 24, 2018 at 3:25 PM Matt Rosenquist <mattrq@gmail.com> wrote:
> I would like to suggest a set of new directives for the content security
> policy which would allow the site to limit access to cookies.

What do you mean by "access to cookies"? Are you talking about scripted
access to document.cookies, HTTP cookie headers, or both?

Can you give concrete examples of security problems or concerns sites have
today that this new control would resolve?

What hacky workarounds are sites having to do to mitigate these problems in
the meantime?

What will sites have to do in a world where some browsers support this and
some don't yet? Would these old hacky workarounds coexist with the CSP
control so that sites don't have to choose between being unsafe in older
browsers or broken content in newer browsers?

> This may be is three forms (first being the most important):
> - cookie-src (read/write)

This is already the default web behavior so it would seem least important
(just don't specify a cookie directive).

-Dan Veditz
Received on Wednesday, 24 October 2018 20:16:15 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 24 October 2018 20:16:16 UTC