idnits 2.17.1 

draft-west-cookie-prefixes-04.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  ** The document seems to lack an IANA Considerations section.  (See Section
     2.2 of https://www.ietf.org/id-info/checklist for how to handle the case
     when there are no actions for IANA.)


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  -- The document date (October 12, 2015) is 3117 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

     No issues found here.

     Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 1 comment (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	HTTPbis                                                          M. West
3	Internet-Draft                                               Google, Inc
4	Updates: 6265 (if approved)                             October 12, 2015
5	Intended status: Standards Track
6	Expires: April 14, 2016

8	                            Cookie Prefixes
9	                     draft-west-cookie-prefixes-04

11	Abstract

13	   This document updates RFC6265 by adding a set of restrictions upon
14	   the names which may be used for cookies with specific properties.
15	   These restrictions enable user agents to smuggle cookie state to the
16	   server within the confines of the existing "Cookie" request header
17	   syntax, and limits the ways in which cookies may be abused in a
18	   conforming user agent.

20	Status of This Memo

22	   This Internet-Draft is submitted in full conformance with the
23	   provisions of BCP 78 and BCP 79.

25	   Internet-Drafts are working documents of the Internet Engineering
26	   Task Force (IETF).  Note that other groups may also distribute
27	   working documents as Internet-Drafts.  The list of current Internet-
28	   Drafts is at http://datatracker.ietf.org/drafts/current/.

30	   Internet-Drafts are draft documents valid for a maximum of six months
31	   and may be updated, replaced, or obsoleted by other documents at any
32	   time.  It is inappropriate to use Internet-Drafts as reference
33	   material or to cite them other than as "work in progress."

35	   This Internet-Draft will expire on April 14, 2016.

37	Copyright Notice

39	   Copyright (c) 2015 IETF Trust and the persons identified as the
40	   document authors.  All rights reserved.

42	   This document is subject to BCP 78 and the IETF Trust's Legal
43	   Provisions Relating to IETF Documents
44	   (http://trustee.ietf.org/license-info) in effect on the date of
45	   publication of this document.  Please review these documents
46	   carefully, as they describe your rights and restrictions with respect
47	   to this document.  Code Components extracted from this document must
48	   include Simplified BSD License text as described in Section 4.e of
49	   the Trust Legal Provisions and are provided without warranty as
50	   described in the Simplified BSD License.

52	Table of Contents

54	   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
55	   2.  Terminology and notation  . . . . . . . . . . . . . . . . . .   2
56	   3.  Prefixes  . . . . . . . . . . . . . . . . . . . . . . . . . .   3
57	     3.1.  The "$Secure-" prefix . . . . . . . . . . . . . . . . . .   3
58	     3.2.  The "$Host-" prefix . . . . . . . . . . . . . . . . . . .   3
59	   4.  User Agent Requirements . . . . . . . . . . . . . . . . . . .   4
60	   5.  Aesthetic Considerations  . . . . . . . . . . . . . . . . . .   4
61	   6.  Security Considerations . . . . . . . . . . . . . . . . . . .   4
62	     6.1.  Secure Origins Only . . . . . . . . . . . . . . . . . . .   4
63	     6.2.  Limitations . . . . . . . . . . . . . . . . . . . . . . .   5
64	   7.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   5
65	     7.1.  Normative References  . . . . . . . . . . . . . . . . . .   5
66	     7.2.  Informative References  . . . . . . . . . . . . . . . . .   5
67	   Appendix A.  Acknowledgements . . . . . . . . . . . . . . . . . .   6
68	   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   6

70	1.  Introduction

72	   Section 8.5 and Section 8.6 of [RFC6265] spell out some of the
73	   drawbacks of cookies' implementation: due to historical accident, it
74	   is impossible for a server to have confidence that a cookie set in a
75	   secure way (e.g., as a domain cookie with the "Secure" (and possibly
76	   "HttpOnly") flags set) remains intact and untouched by non-secure
77	   subdomains.

79	   We can't alter the syntax of the "Cookie" request header, as that
80	   would likely break a number of implementations.  This rules out
81	   sending a cookie's flags along with the cookie directly, but we can
82	   smuggle information along with the cookie if we reserve certain name
83	   prefixes for cookies with certain properties.

85	   This document describes such a scheme, which enables servers to set
86	   cookies which conforming user agents will ensure are "Secure", and
87	   locked to a domain.

89	2.  Terminology and notation

91	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
92	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
93	   document are to be interpreted as described in [RFC2119].

95	   The "scheme" component of a URI is defined in Section 3 of [RFC3986].

97	3.  Prefixes

99	3.1.  The "$Secure-" prefix

101	   If a cookie's name begins with "$Secure-", the cookie MUST be:

103	   1.  Set with a "Secure" attribute

105	   2.  Set from a URI whose "scheme" is considered "secure" by the user
106	       agent.

108	   The following cookie would be rejected when set from any origin, as
109	   the "Secure" flag is not set

111	   Set-Cookie: $Secure-SID=12345; Domain=example.com

113	   While the following would be accepted if set from a secure origin
114	   (e.g.  "https://example.com/"), and rejected otherwise:

116	   Set-Cookie: $Secure-SID=12345; Secure; Domain=example.com

118	3.2.  The "$Host-" prefix

120	   If a cookie's name begins with "$Host-", the cookie MUST be:

122	   1.  Set with a "Secure" attribute

124	   2.  Set from a URI whose "scheme" is considered "secure" by the user
125	       agent.

127	   3.  Sent only to the host which set the cookie.  That is, a cookie
128	       named "$Host-cookie1" set from "https://example.com" MUST NOT
129	       contain a "Domain" attribute (and will therefore be sent only to
130	       "example.com", and not to "subdomain.example.com").

132	   4.  Sent to every request for a host.  That is, a cookie named
133	       "$Host-cookie1" MUST contain a "Path" attribute with a value of
134	       "/".

136	   The following cookies would always be rejected:

138	   Set-Cookie: $Host-SID=12345
139	   Set-Cookie: $Host-SID=12345; Secure
140	   Set-Cookie: $Host-SID=12345; Domain=example.com
141	   Set-Cookie: $Host-SID=12345; Domain=example.com; Path=/
142	   Set-Cookie: $Host-SID=12345; Secure; Domain=example.com; Path=/
143	   While the following would be accepted if set from a secure origin
144	   (e.g.  "https://example.com/"), and rejected otherwise:

146	   Set-Cookie: $Host-SID=12345; Secure; Path=/

148	4.  User Agent Requirements

150	   This document updates Section 5.3 of [RFC6265] as follows:

152	   After step 10 of the current algorithm, the cookies flags are set.
153	   Insert the following steps to perform the prefix checks this document
154	   specifies:

156	   1.  If the "cookie-name" begins with the string "$Secure-" or
157	       "$Host-", abort these steps and ignore the cookie entirely unless
158	       both of the following conditions are true:

160	       *  The cookie's "secure-only-flag" is "true"

162	       *  "request-uri"'s "scheme" component denotes a "secure" protocol
163	          (as determined by the user agent)

165	   2.  If the "cookie-name" begins with the string "$Host-", abort these
166	       steps and ignore the cookie entirely unless the following
167	       conditions are true:

169	       *  The cookie's "host-only-flag" is "true"

171	       *  The cookie's "path" is "/"

173	5.  Aesthetic Considerations

175	   Prefixes are ugly. :(

177	6.  Security Considerations

179	6.1.  Secure Origins Only

181	   It would certainly be possible to extend this scheme to non-secure
182	   origins (and an earlier draft of this document did exactly that).
183	   User agents, however, are slowly moving towards a world where
184	   features with security implications are available only over secure
185	   transport (see [SECURE-CONTEXTS], [POWERFUL-FEATURES], and
186	   [DEPRECATING-HTTP]).  This document follows that trend, limiting
187	   exciting new cookie properties to secure transport in order to ensure
188	   that user agents can make claims which middlemen will have a hard
189	   time violating.

191	   To that end, note that the requirements listed above mean that
192	   prefixed cookies will be rejected entirely if a non-secure origin
193	   attempts to set them.

195	6.2.  Limitations

197	   This scheme gives no assurance to the server that the restrictions on
198	   cookie names are enforced.  Servers could certainly probe the user
199	   agent's functionality to determine support, or sniff based on the
200	   "User-Agent" request header, if such assurances were deemed
201	   necessary.

203	7.  References

205	7.1.  Normative References

207	   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
208	              Requirement Levels", BCP 14, RFC 2119, March 1997.

210	   [RFC3986]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
211	              Resource Identifier (URI): Generic Syntax", STD 66, RFC
212	              3986, DOI 10.17487/RFC3986, January 2005,
213	              <http://www.rfc-editor.org/info/rfc3986>.

215	   [RFC6265]  Barth, A., "HTTP State Management Mechanism", RFC 6265,
216	              April 2011.

218	7.2.  Informative References

220	   [DEPRECATING-HTTP]
221	              Barnes, R., "Deprecating Non-Secure HTTP", n.d.,
222	              <https://blog.mozilla.org/security/2015/04/30/deprecating-
223	              non-secure-http/>.

225	   [Lawrence2015]
226	              Lawrence, E., "Duct Tape and Baling Wire -- Cookie
227	              Prefixes", n.d., <http://textslashplain.com/2015/10/09/
228	              duct-tape-and-baling-wirecookie-prefixes/>.

230	   [POWERFUL-FEATURES]
231	              Palmer, C., "Prefer Secure Origins for Powerful New
232	              Features", n.d., <https://www.chromium.org/Home/chromium-
233	              security/prefer-secure-origins-for-powerful-new-features>.

235	   [SECURE-CONTEXTS]
236	              West, M., "Secure Contexts", n.d., <https://w3c.github.io/
237	              webappsec-secure-contexts/>.

239	Appendix A.  Acknowledgements

241	   Eric Lawrence had this idea a million years ago, and wrote about its
242	   genesis in [Lawrence2015].  Devdatta Akhawe helped justify the
243	   potential impact of the scheme on real-world websites.

245	Author's Address

247	   Mike West
248	   Google, Inc

250	   Email: mkwst@google.com
251	   URI:   https://mikewest.org/