W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2018

Re: [CSP3] Suggestion for COOKIE directive

From: Jim Manico <jim.manico@owasp.org>
Date: Thu, 25 Oct 2018 09:05:50 -0400
To: Frederik Braun <fbraun@mozilla.com>, Matt Rosenquist <mattrq@gmail.com>, public-webappsec@w3.org
Message-ID: <27ea57aa-a5d4-adab-e909-2d2f8892d98a@owasp.org>
> What makes cookies special? Why not include DOM Storage et al.?

DOM Storage is easily harvested via XSS while HTTPOnly cookies are
resistant to theft via XSS and contain a variety of other controls that
do not exist in DOM Storage.

- Jim


On 10/25/18 3:13 AM, Frederik Braun wrote:
> Am 23.10.18 um 21:31 schrieb Matt Rosenquist:
>> Hi,
>>
>> I would like to suggest a set of new directives for the content security policy which would allow the site to limit access to cookies. 
>
> What makes cookies special?
> Why not include DOM Storage et al.?
>
>
>> This may be is three forms (first being the most important):
>> - cookie-src (read/write)
>> - cookie-read (readonly)
>> - cookie-write (write only)
>>
>> The main reason to add this directive would be away to allow site owners to ensure that their content policies align with the technologies and tools used on the site both with client run scripts and server side cookie handling. 
>>
>> Other benefits would be greater security, specially around limiting data tracking to one intended parties / scripts.  Additionally greater possible transparency to the user to how cookies are used.
>>
>> Thank you for the consideration,
>> Matt
>>
>>
>>
>>
Received on Thursday, 25 October 2018 13:06:19 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 25 October 2018 13:06:20 UTC