Standardizing Security Semantics of Cross-Site Cookies from Johann Hofmann on 2023-03-29 (public-webappsec@w3.org from March 2023)

From: Johann Hofmann <johannhof@google.com>
Date: Wed, 29 Mar 2023 16:27:32 +0200
To: WebAppSec WG <public-webappsec@w3.org>
Cc: Dylan Cutler <dylancutler@google.com>, Kaustubha Govind <kaustubhag@google.com>
Message-ID: <CAD_OO4ht_izJ8i+4ZjTQFBYfYpTU1cs9mxiytXDT4pK0rCWumg@mail.gmail.com>

Hi everyone,

Dylan, Kaustubha and I have been working on a new proposal to converge
browsers on semantics for blocking cross-site cookies
<https://github.com/DCtheTall/standardizing-cross-site-cookie-semantics/>,
in the interest of solving security challenges that arise when cross-site
cookies continue to be allowed by default in certain edge cases.

As we've outlined in the document, all browsers perform cross-site cookie
blocking a bit differently, with the main difference being that Chrome
adheres to the "site for cookies
<https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-11#section-5.2.1>"
when determining cross-site-ness for cookie blocking, whereas Firefox and
Safari compare the top-level site without considering the ancestor chain.
This particularly impacts the "ABA" case when a site A embeds another site
B, which then embeds A again.

We would like to default the web platform to the more secure behavior here,
but recognize that we have to consider viable methods for developers to opt
into the less secure alternative. One such method could be the Storage
Access API <https://github.com/privacycg/storage-access>.

There are a lot more details in the document, and we'd appreciate your
feedback. We aim to present this topic at the 04/19 call
<https://github.com/w3c/webappsec/issues/620> and hope to see you all there!

Johann

Received on Wednesday, 29 March 2023 14:28:45 UTC