[http-state] Ticket 6: host-only cookies
Adam Barth <ietf@adambarth.com> Fri, 22 January 2010 08:51 UTC
Return-Path: <adam@adambarth.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 249D43A6884 for <http-state@core3.amsl.com>; Fri, 22 Jan 2010 00:51:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.614
X-Spam-Level:
X-Spam-Status: No, score=-1.614 tagged_above=-999 required=5 tests=[AWL=-0.237, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, J_CHICKENPOX_33=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jqBX-Y2tKMcY for <http-state@core3.amsl.com>; Fri, 22 Jan 2010 00:51:05 -0800 (PST)
Received: from mail-pw0-f50.google.com (mail-pw0-f50.google.com [209.85.160.50]) by core3.amsl.com (Postfix) with ESMTP id 2211F3A6859 for <http-state@ietf.org>; Fri, 22 Jan 2010 00:51:05 -0800 (PST)
Received: by pwi20 with SMTP id 20so661400pwi.29 for <http-state@ietf.org>; Fri, 22 Jan 2010 00:50:57 -0800 (PST)
MIME-Version: 1.0
Received: by 10.142.59.18 with SMTP id h18mr1842597wfa.27.1264150257089; Fri, 22 Jan 2010 00:50:57 -0800 (PST)
From: Adam Barth <ietf@adambarth.com>
Date: Fri, 22 Jan 2010 00:50:37 -0800
Message-ID: <7789133a1001220050m56cc438x35099b7972639331@mail.gmail.com>
To: http-state <http-state@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"
Subject: [http-state] Ticket 6: host-only cookies
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jan 2010 08:51:06 -0000
I raised this ticket because I wanted to check with the working group since this is a non-trivial decision: http://trac.tools.ietf.org/wg/httpstate/trac/ticket/6 == Overview == If http://example.com/ sends the following header: Set-Cookie: foo=bar what Cookie header should the user agent generate for http://qux.example.com/ ? Firefox, Chrome, Safari, and Opera say that foo=bar is a "host-only" cookie that is returned to example.com only. Internet Explorer doesn't have a concept of a host-only cookie and returns the cookie to example.com and all of its subdomains, including qux.example.com. The lack of host-only cookies in IE is a security issue because it prevents hosts from keeping cookies confidential from their subdomains. This behavior surprises enough web developers to be on Eric's cookie FAQ (see Q3): http://blogs.msdn.com/ieinternals/archive/2009/08/20/WinINET-IE-Cookie-Internals-FAQ.aspx == Proposal == 1) Specify host-only cookies to match Firefox, Chrome, Safari, and Opera. This is best for security, and I think there's a good chance that IE will adopt host-only cookies in future, but I don't have any citable evidence for this belief. (The draft currently matches this proposal.) == Alternatives == 2) Specify the IE behavior. I think this approach is a dead end because I'd be very surprised if all the non-IE browsers weakened their security in this regard. 3) Allow both behaviors. This alternative is the worst for security because it makes the cookie protocol less predictable. When all the other browsers agree on a behavior that's better than the IE behavior, I think we can require the non-IE behavior. Adam
- [http-state] Ticket 6: host-only cookies Adam Barth
- Re: [http-state] Ticket 6: host-only cookies Daniel Stenberg
- Re: [http-state] Ticket 6: host-only cookies Dan Winship
- Re: [http-state] Ticket 6: host-only cookies Adam Barth
- Re: [http-state] Ticket 6: host-only cookies Adam Barth
- Re: [http-state] Ticket 6: host-only cookies Dan Winship
- Re: [http-state] Ticket 6: host-only cookies Adam Barth
- Re: [http-state] Ticket 6: host-only cookies Maciej Stachowiak
- Re: [http-state] Ticket 6: host-only cookies Roy T. Fielding
- Re: [http-state] Ticket 6: host-only cookies Adam Barth
- Re: [http-state] Ticket 6: host-only cookies Roy T. Fielding
- Re: [http-state] Ticket 6: host-only cookies Adam Barth
- Re: [http-state] Ticket 6: host-only cookies Bil Corry
- Re: [http-state] Ticket 6: host-only cookies Adam Barth
- Re: [http-state] Ticket 6: host-only cookies Eran Hammer-Lahav
- Re: [http-state] Ticket 6: host-only cookies Julian Reschke
- Re: [http-state] Ticket 6: host-only cookies Bil Corry
- Re: [http-state] Ticket 6: host-only cookies Adam Barth
- Re: [http-state] Ticket 6: host-only cookies Julian Reschke
- Re: [http-state] Ticket 6: host-only cookies Dan Winship
- Re: [http-state] Ticket 6: host-only cookies Lisa Dusseault
- Re: [http-state] Ticket 6: host-only cookies Blake Frantz
- Re: [http-state] Ticket 6: host-only cookies Adam Barth
- Re: [http-state] Ticket 6: host-only cookies Bil Corry
- Re: [http-state] Ticket 6: host-only cookies Adam Barth
- Re: [http-state] Ticket 6: host-only cookies Dave Kristol
- Re: [http-state] Ticket 6: host-only cookies Adam Barth
- Re: [http-state] Ticket 6: host-only cookies Dave Kristol
- Re: [http-state] Ticket 6: host-only cookies Adam Barth
- Re: [http-state] Ticket 6: host-only cookies Bil Corry
- Re: [http-state] Ticket 6: host-only cookies Mark Pauley