idnits 2.17.1
draft-west-first-party-cookies-00.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
** The document seems to lack an IANA Considerations section. (See Section
2.2 of https://www.ietf.org/id-info/checklist for how to handle the case
when there are no actions for IANA.)
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
-- The document date (October 27, 2014) is 3468 days in the past. Is this
intentional?
Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
-- Possible downref: Non-RFC (?) normative reference: ref. 'HTML'
Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 2 comments (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 HTTPbis M. West
3 Internet-Draft Google, Inc
4 Updates: 6265 (if approved) October 27, 2014
5 Intended status: Standards Track
6 Expires: April 30, 2015
8 First-Party Cookies
9 draft-west-first-party-cookies-00
11 Abstract
13 This document updates RFC6265, defining the "First-Party" attribute
14 for cookies, which allows servers to mitigate the risk of cross-site
15 request forgery and related information leakage attacks by asserting
16 that a particular cookie should only be sent in a "first-party"
17 context.
19 Status of This Memo
21 This Internet-Draft is submitted in full conformance with the
22 provisions of BCP 78 and BCP 79.
24 Internet-Drafts are working documents of the Internet Engineering
25 Task Force (IETF). Note that other groups may also distribute
26 working documents as Internet-Drafts. The list of current Internet-
27 Drafts is at http://datatracker.ietf.org/drafts/current/.
29 Internet-Drafts are draft documents valid for a maximum of six months
30 and may be updated, replaced, or obsoleted by other documents at any
31 time. It is inappropriate to use Internet-Drafts as reference
32 material or to cite them other than as "work in progress."
34 This Internet-Draft will expire on April 30, 2015.
36 Copyright Notice
38 Copyright (c) 2014 IETF Trust and the persons identified as the
39 document authors. All rights reserved.
41 This document is subject to BCP 78 and the IETF Trust's Legal
42 Provisions Relating to IETF Documents
43 (http://trustee.ietf.org/license-info) in effect on the date of
44 publication of this document. Please review these documents
45 carefully, as they describe your rights and restrictions with respect
46 to this document. Code Components extracted from this document must
47 include Simplified BSD License text as described in Section 4.e of
48 the Trust Legal Provisions and are provided without warranty as
49 described in the Simplified BSD License.
51 Table of Contents
53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
54 1.1. Examples . . . . . . . . . . . . . . . . . . . . . . . . 3
55 2. Terminology and notation . . . . . . . . . . . . . . . . . . 3
56 2.1. First-party and Third-party Requests . . . . . . . . . . 3
57 3. Server Requirements . . . . . . . . . . . . . . . . . . . . . 4
58 3.1. Grammar . . . . . . . . . . . . . . . . . . . . . . . . . 4
59 3.2. Semantics of the "First-Party" Attribute (Non-Normative) 4
60 4. User Agent Requirements . . . . . . . . . . . . . . . . . . . 5
61 4.1. The "First-Party" attribute . . . . . . . . . . . . . . . 5
62 4.2. Monkey-patching the Storage Model . . . . . . . . . . . . 5
63 4.3. Monkey-patching the "Cookie" header . . . . . . . . . . . 6
64 5. Authoring Considerations . . . . . . . . . . . . . . . . . . 6
65 5.1. Mashups and Widgets . . . . . . . . . . . . . . . . . . . 6
66 6. Privacy Considerations . . . . . . . . . . . . . . . . . . . 6
67 6.1. User Controls . . . . . . . . . . . . . . . . . . . . . . 6
68 7. Security Considerations . . . . . . . . . . . . . . . . . . . 7
69 7.1. Limitations . . . . . . . . . . . . . . . . . . . . . . . 7
70 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7
71 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 7
72 9.1. Normative References . . . . . . . . . . . . . . . . . . 7
73 9.2. Informative References . . . . . . . . . . . . . . . . . 8
74 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 8
76 1. Introduction
78 Section 8.2 of [RFC6265] eloquently notes that cookies are a form of
79 ambient authority, attached by default to requests the user agent
80 sends on a user's behalf. Even when an attacker doesn't know the
81 contents of a user's cookies, she can still execute commands on the
82 user's behalf (and with the user's authority) by asking the user
83 agent to send HTTP requests to unwary servers.
85 Here, we update [RFC6265] with a simple mitigation strategy that
86 allows servers to declare certain cookies as "First-party cookies"
87 which should be attached to requests if and only if they occur in a
88 first-party context.
90 Note that the mechanism outlined here is backwards compatible with
91 the existing cookie syntax. Servers may serve first-party cookies to
92 all user agents; those that do not support the "First-Party"
93 attribute will simply store a non-first-party cookie, just as they do
94 today.
96 1.1. Examples
98 First-party cookies are set via the "First-Party" attribute in the
99 "Set-Cookie" header field. That is, given a server's response to a
100 user agent which contains the following header field:
102 Set-Cookie: SID=31d4d96e407aad42; First-Party
104 Subsequent requests from that user agent can be expected to contain
105 the following header field if and only if both the requested resource
106 and the resource in the top-level browsing context match the cookie.
108 2. Terminology and notation
110 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
111 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
112 document are to be interpreted as described in [RFC2119].
114 This specification uses the Augmented Backus-Naur Form (ABNF)
115 notation of [RFC5234].
117 Two sequences of octets are said to case-insensitively match each
118 other if and only if they are equivalent under the "i;ascii-casemap"
119 collation defined in [RFC4790].
121 The terms "active document", and "top-level browsing context" are
122 defined in the HTML Living Standard. [HTML]
124 The term "origin" and the mechanism of deriving an origin from a URI
125 are defined in [RFC6454].
127 2.1. First-party and Third-party Requests
129 The URL displayed in a user agent's address bar is the only security
130 context directly exposed to users, and therefore the only signal
131 users can reasonably rely upon to determine who they're talking to.
133 Broadly speaking, then, a "first-party" request is an HTTP request
134 for a resource whose URL's origin matches the origin of the URL the
135 user sees in the address bar. A "third-party" request is an HTTP
136 request for a resource at any other origin.
138 To be slightly more precise, given an HTTP request "request":
140 1. Let "context" be the top-level browsing context in the window
141 responsible for "request".
143 2. Let "top-origin" be the origin of the location of the active
144 document in "context".
146 3. If the origin of "request"'s URL is the same as "top-origin",
147 "request" is a *first-party request*. Otherwise, "request" is a
148 *third-party request*.
150 Note that we deal with the document's _location_ in step 2 above, not
151 with the document's origin. For example, a top-level document from
152 "https://example.com" which has been sandboxed into a unique origin
153 still creates a non-unique first-party context for subsequent
154 requests.
156 This definition has a few implications:
158 o New windows create new first-party contexts.
160 o Full-page navigations create new first-party contexts. Notably,
161 this includes both HTTP and ""-driven redirects.
163 o "