Mike,

 

It is often hard for UAs to tell first-party from third-party accesses. For example third-party blocking is being circumvented via redirection. Javascript changes the href of a same-origin anchor tag, e.g. a menu item, to point to a third-party origin with the original href as a query parameter. The third-party server responds with a 302 redirect back to the original href, along with a set-cookies header, when the menu item is clicked.

 

The browser cannot tell it is “really” a third-party and the user may have no indication they were going to be redirected through the third-party.

 

The first-party attribute would have to stop cookies being sent in these kind of redirected requests.

 

Mike O’Neill

 

 

 

From: Mike West [mailto:mkwst@google.com]
Sent: 28 January 2015 09:34
To: Yehuda Katz
Cc: Daniel Appelquist; TAG List
Subject: Re: Cookies Settings Observations

 

On Mon, Jan 26, 2015 at 9:12 PM, Yehuda Katz <wycats@gmail.com> wrote:

I recently asked around about why we don't have a CSP mechanism (or other opt in) to tell the browser that the cookies of a particular domain are "same origin only".

Ah, cookies. What a mess.

 

I took a stab at something like this in https://tools.ietf.org/html/draft-west-first-party-cookies-00. There seems to be vague interest in the HTTP WG, but I haven't gotten around to putting a prototype together yet.

 

-mike


--
Mike West <mkwst@google.com>, 
@mikewest

 

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores

(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)