draft-west-first-party-cookies-06.txt   draft-west-first-party-cookies-07.txt 
HTTPbis M. West HTTPbis M. West
Internet-Draft Google, Inc Internet-Draft Google, Inc
Updates: 6265 (if approved) M. Goodwin Updates: 6265 (if approved) M. Goodwin
Intended status: Standards Track Mozilla Intended status: Standards Track Mozilla
Expires: July 28, 2016 January 25, 2016 Expires: October 8, 2016 April 6, 2016
Same-site Cookies Same-site Cookies
draft-west-first-party-cookies-06 draft-west-first-party-cookies-07
Abstract Abstract
This document updates RFC6265 by defining a "SameSite" attribute This document updates RFC6265 by defining a "SameSite" attribute
which allows servers to assert that a cookie ought not to be sent which allows servers to assert that a cookie ought not to be sent
along with cross-site requests. This assertion allows user agents to along with cross-site requests. This assertion allows user agents to
mitigate the risk of cross-origin information leakage, and provides mitigate the risk of cross-origin information leakage, and provides
some protection against cross-site request forgery attacks. some protection against cross-site request forgery attacks.
Status of This Memo Status of This Memo
skipping to change at page 1, line 35 skipping to change at page 1, line 35
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 28, 2016. This Internet-Draft will expire on October 8, 2016.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 29 skipping to change at page 2, line 29
4. User Agent Requirements . . . . . . . . . . . . . . . . . . . 8 4. User Agent Requirements . . . . . . . . . . . . . . . . . . . 8
4.1. The "SameSite" attribute . . . . . . . . . . . . . . . . 8 4.1. The "SameSite" attribute . . . . . . . . . . . . . . . . 8
4.1.1. "Strict" and "Lax" enforcement . . . . . . . . . . . 8 4.1.1. "Strict" and "Lax" enforcement . . . . . . . . . . . 8
4.2. Monkey-patching the Storage Model . . . . . . . . . . . . 9 4.2. Monkey-patching the Storage Model . . . . . . . . . . . . 9
4.3. Monkey-patching the "Cookie" header . . . . . . . . . . . 10 4.3. Monkey-patching the "Cookie" header . . . . . . . . . . . 10
5. Authoring Considerations . . . . . . . . . . . . . . . . . . 10 5. Authoring Considerations . . . . . . . . . . . . . . . . . . 10
5.1. Defense in depth . . . . . . . . . . . . . . . . . . . . 10 5.1. Defense in depth . . . . . . . . . . . . . . . . . . . . 10
5.2. Top-level Navigations . . . . . . . . . . . . . . . . . . 11 5.2. Top-level Navigations . . . . . . . . . . . . . . . . . . 11
5.3. Mashups and Widgets . . . . . . . . . . . . . . . . . . . 11 5.3. Mashups and Widgets . . . . . . . . . . . . . . . . . . . 11
6. Privacy Considerations . . . . . . . . . . . . . . . . . . . 11 6. Privacy Considerations . . . . . . . . . . . . . . . . . . . 11
6.1. Server-controlled . . . . . . . . . . . . . . . . . . . . 11
6.2. Pervasive Monitoring . . . . . . . . . . . . . . . . . . 12
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 12
7.1. Normative References . . . . . . . . . . . . . . . . . . 12 7.1. Normative References . . . . . . . . . . . . . . . . . . 12
7.2. Informative References . . . . . . . . . . . . . . . . . 13 7.2. Informative References . . . . . . . . . . . . . . . . . 13
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 13 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 14
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14
1. Introduction 1. Introduction
Section 8.2 of [RFC6265] eloquently notes that cookies are a form of Section 8.2 of [RFC6265] eloquently notes that cookies are a form of
ambient authority, attached by default to requests the user agent ambient authority, attached by default to requests the user agent
sends on a user's behalf. Even when an attacker doesn't know the sends on a user's behalf. Even when an attacker doesn't know the
contents of a user's cookies, she can still execute commands on the contents of a user's cookies, she can still execute commands on the
user's behalf (and with the user's authority) by asking the user user's behalf (and with the user's authority) by asking the user
agent to send HTTP requests to unwary servers. agent to send HTTP requests to unwary servers.
skipping to change at page 3, line 44 skipping to change at page 3, line 48
purposes. It may be valuable for an origin to assert that its purposes. It may be valuable for an origin to assert that its
cookies should not be sent along with cross-site requests in cookies should not be sent along with cross-site requests in
order to limit its exposure to non-technical risk. order to limit its exposure to non-technical risk.
1.2. Examples 1.2. Examples
Same-site cookies are set via the "SameSite" attribute in the "Set- Same-site cookies are set via the "SameSite" attribute in the "Set-
Cookie" header field. That is, given a server's response to a user Cookie" header field. That is, given a server's response to a user
agent which contains the following header field: agent which contains the following header field:
Set-Cookie: SID=31d4d96e407aad42; SameSite Set-Cookie: SID=31d4d96e407aad42; SameSite=Strict
Subsequent requests from that user agent can be expected to contain Subsequent requests from that user agent can be expected to contain
the following header field if and only if both the requested resource the following header field if and only if both the requested resource
and the resource in the top-level browsing context match the cookie. and the resource in the top-level browsing context match the cookie.
2. Terminology and notation 2. Terminology and notation
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
skipping to change at page 4, line 50 skipping to change at page 4, line 50
An origin's "registrable domain" is the origin's host's public suffix An origin's "registrable domain" is the origin's host's public suffix
plus the label to its left. That is, "https://www.example.com"'s plus the label to its left. That is, "https://www.example.com"'s
registrable domain is "example.com". This concept is defined more registrable domain is "example.com". This concept is defined more
rigorously in [PSL]. rigorously in [PSL].
The term "request", as well as a request's "client", "current url", The term "request", as well as a request's "client", "current url",
"method", and "target browsing context", are defined in [FETCH]. "method", and "target browsing context", are defined in [FETCH].
2.1. "Same-site" and "cross-site" Requests 2.1. "Same-site" and "cross-site" Requests
A request is "same-site" if it's target's URI's origin's registrable A request is "same-site" if its target's URI's origin's registrable
domain is an exact match for the request's initiator's "site for domain is an exact match for the request's initiator's "site for
cookies", and "cross-site" otherwise. To be more precise, for a cookies", and "cross-site" otherwise. To be more precise, for a
given request ("request"), the following algorithm returns "same- given request ("request"), the following algorithm returns "same-
site" or "cross-site": site" or "cross-site":
1. If "request"'s client is "null", return "same-site". 1. If "request"'s client is "null", return "same-site".
2. Let "site" be "request"'s client's "site for cookies" (as defined 2. Let "site" be "request"'s client's "site for cookies" (as defined
in the following sections). in the following sections).
skipping to change at page 6, line 5 skipping to change at page 6, line 5
"site for cookies" (either a registrable domain, or the empty "site for cookies" (either a registrable domain, or the empty
string): string):
1. Let "top-document" be the active document in "document"'s 1. Let "top-document" be the active document in "document"'s
browsing context's top-level browsing context. browsing context's top-level browsing context.
2. Let "top-origin" be the origin of "top-document"'s URI if "top- 2. Let "top-origin" be the origin of "top-document"'s URI if "top-
document"'s sandboxed origin browsing context flag is set, and document"'s sandboxed origin browsing context flag is set, and
"top-document"'s origin otherwise. "top-document"'s origin otherwise.
3. Let "documents" be an empty list be a list containing "document" 3. Let "documents" be a list containing "document" and each of
and each of "document"'s ancestor browsing contexts' active "document"'s ancestor browsing contexts' active documents.
documents.
4. For each "item" in "documents": 4. For each "item" in "documents":
1. Let "origin" be the origin of "item"'s URI if "item"'s 1. Let "origin" be the origin of "item"'s URI if "item"'s
sandboxed origin browsing context flag is set, and "item"'s sandboxed origin browsing context flag is set, and "item"'s
origin otherwise. origin otherwise.
2. If "origin"'s host's registrable domain is not an exact match 2. If "origin"'s host's registrable domain is not an exact match
for "top-origin"'s host's registrable domain, return the for "top-origin"'s host's registrable domain, return the
empty string. empty string.
skipping to change at page 8, line 14 skipping to change at page 8, line 14
3.2. Semantics of the "SameSite" Attribute (Non-Normative) 3.2. Semantics of the "SameSite" Attribute (Non-Normative)
The "SameSite" attribute limits the scope of the cookie such that it The "SameSite" attribute limits the scope of the cookie such that it
will only be attached to requests if those requests are "same-site", will only be attached to requests if those requests are "same-site",
as defined by the algorithm in Section 2.1. For example, requests as defined by the algorithm in Section 2.1. For example, requests
for "https://example.com/sekrit-image" will attach same-site cookies for "https://example.com/sekrit-image" will attach same-site cookies
if and only if initiated from a context whose "site for cookies" is if and only if initiated from a context whose "site for cookies" is
"example.com". "example.com".
If the "SameSite" attribute has no value, if the value is "Strict", If the "SameSite" attribute's value is "Strict", or if the value is
or if the value is invalid, the cookie will only be sent along with invalid, the cookie will only be sent along with "same-site"
"same-site" requests. If the value is "Lax", the cookie will be sent requests. If the value is "Lax", the cookie will be sent with "same-
with "same-site" requests, and with "cross-site" top-level site" requests, and with "cross-site" top-level navigations, as
navigations, as described in Section 4.1.1. described in Section 4.1.1.
The changes to the "Cookie" header field suggested in Section 4.3 The changes to the "Cookie" header field suggested in Section 4.3
provide additional detail. provide additional detail.
4. User Agent Requirements 4. User Agent Requirements
This section describes extensions to [RFC6265] necessary in order to This section describes extensions to [RFC6265] necessary in order to
implement the client-side requirements of the "SameSite" attribute. implement the client-side requirements of the "SameSite" attribute.
4.1. The "SameSite" attribute 4.1. The "SameSite" attribute
The following attribute definition should be considered part of the The following attribute definition should be considered part of the
the "Set-Cookie" algorithm as described in Section 5.2 of [RFC6265]: the "Set-Cookie" algorithm as described in Section 5.2 of [RFC6265]:
If the "attribute-name" case-insensitively matches the string If the "attribute-name" case-insensitively matches the string
"SameSite", the user agent MUST process the "cookie-av" as follows: "SameSite", the user agent MUST process the "cookie-av" as follows:
1. Let "enforcement" be "Strict". 1. If "cookie-av"'s "attribute-value" is not a case-sensitive match
for "Strict" or "Lax", ignore the "cookie-av".
2. If "cookie-av"'s "attribute-value" is a case-insensitive match 2. Let "enforcement" be "Lax" if "cookie-av"'s "attribute-value" is
for either "Strict" or "Lax", set "enforcement" to "cookie-av"'s a case-insensitive match for "Lax", and "Strict" otherwise.
"attribute-value".
3. Append an attribute to the "cookie-attribute-list" with an 3. Append an attribute to the "cookie-attribute-list" with an
"attribute-name" of "SameSite" and an "attribute-value" of "attribute-name" of "SameSite" and an "attribute-value" of
"enforcement". "enforcement".
4.1.1. "Strict" and "Lax" enforcement 4.1.1. "Strict" and "Lax" enforcement
By default, same-site cookies will not be sent along with top-level By default, same-site cookies will not be sent along with top-level
navigations. As discussed in Section 5.2, this might or might not be navigations. As discussed in Section 5.2, this might or might not be
compatible with existing session management systems. In the compatible with existing session management systems. In the
skipping to change at page 11, line 46 skipping to change at page 11, line 46
services, for instance) will not have access to such cookies. Cross- services, for instance) will not have access to such cookies. Cross-
site cookies may be required in order to provide seamless site cookies may be required in order to provide seamless
functionality that relies on a user's state. functionality that relies on a user's state.
Likewise, some forms of Single-Sign-On might require authentication Likewise, some forms of Single-Sign-On might require authentication
in a cross-site context; these mechanisms will not function as in a cross-site context; these mechanisms will not function as
intended with same-site cookies. intended with same-site cookies.
6. Privacy Considerations 6. Privacy Considerations
6.1. Server-controlled
Same-site cookies in and of themselves don't do anything to address Same-site cookies in and of themselves don't do anything to address
the general privacy concerns outlined in Section 7.1 of [RFC6265]. the general privacy concerns outlined in Section 7.1 of [RFC6265].
The attribute is set by the server, and serves to mitigate the risk The attribute is set by the server, and serves to mitigate the risk
of certain kinds of attacks that the server is worried about. The of certain kinds of attacks that the server is worried about. The
user is not involved in this decision. Moreover, a number of side- user is not involved in this decision. Moreover, a number of side-
channels exist which could allow a server to link distinct requests channels exist which could allow a server to link distinct requests
even in the absence of cookies. Connection and/or socket pooling, even in the absence of cookies. Connection and/or socket pooling,
Token Binding, and Channel ID all offer explicit methods of Token Binding, and Channel ID all offer explicit methods of
identification that servers could take advantage of. identification that servers could take advantage of.
6.2. Pervasive Monitoring
As outlined in [RFC7258], pervasive monitoring is an attack. Cookies
play a large part in enabling such monitoring, as they are
responsible for maintaining state in HTTP connections. We considered
restricting same-site cookies to secure contexts [secure-contexts] as
a mitigation but decided against doing so, as this feature should
result in a strict reduction in the number of cookies floating around
in cross-site contexts. That is, even if "http://not-example.com"
embeds a resource from "http://example.com/", that resource will not
be "same-site", and "http://example.com"'s cookies simply cannot be
used to correlate user behavior across distinct origins.
7. References 7. References
7.1. Normative References 7.1. Normative References
[FETCH] van Kesteren, A., "Fetch", n.d., [FETCH] van Kesteren, A., "Fetch", n.d.,
<https://fetch.spec.whatwg.org/>. <https://fetch.spec.whatwg.org/>.
[HTML] Hickson, I., Pieters, S., van Kesteren, A., Jaegenstedt, [HTML] Hickson, I., Pieters, S., van Kesteren, A., Jaegenstedt,
P., and D. Denicola, "HTML", n.d., P., and D. Denicola, "HTML", n.d.,
<https://html.spec.whatwg.org/>. <https://html.spec.whatwg.org/>.
[PSL] "Public Suffix List", n.d., <https://publicsuffix.org/ [PSL] "Public Suffix List", n.d., <https://publicsuffix.org/
list/>. list/>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ Requirement Levels", BCP 14, RFC 2119,
RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <http://www.rfc-editor.org/info/rfc2119>.
[RFC4790] Newman, C., Duerst, M., and A. Gulbrandsen, "Internet [RFC4790] Newman, C., Duerst, M., and A. Gulbrandsen, "Internet
Application Protocol Collation Registry", RFC 4790, DOI 10 Application Protocol Collation Registry", RFC 4790,
.17487/RFC4790, March 2007, DOI 10.17487/RFC4790, March 2007,
<http://www.rfc-editor.org/info/rfc4790>. <http://www.rfc-editor.org/info/rfc4790>.
[RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", STD 68, RFC 5234, DOI 10.17487/ Specifications: ABNF", STD 68, RFC 5234,
RFC5234, January 2008, DOI 10.17487/RFC5234, January 2008,
<http://www.rfc-editor.org/info/rfc5234>. <http://www.rfc-editor.org/info/rfc5234>.
[RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265, [RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265,
DOI 10.17487/RFC6265, April 2011, DOI 10.17487/RFC6265, April 2011,
<http://www.rfc-editor.org/info/rfc6265>. <http://www.rfc-editor.org/info/rfc6265>.
[RFC6454] Barth, A., "The Web Origin Concept", RFC 6454, DOI 10 [RFC6454] Barth, A., "The Web Origin Concept", RFC 6454,
.17487/RFC6454, December 2011, DOI 10.17487/RFC6454, December 2011,
<http://www.rfc-editor.org/info/rfc6454>. <http://www.rfc-editor.org/info/rfc6454>.
[RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer [RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
Protocol (HTTP/1.1): Semantics and Content", RFC 7231, DOI Protocol (HTTP/1.1): Semantics and Content", RFC 7231,
10.17487/RFC7231, June 2014, DOI 10.17487/RFC7231, June 2014,
<http://www.rfc-editor.org/info/rfc7231>. <http://www.rfc-editor.org/info/rfc7231>.
[RFC7258] Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an
Attack", BCP 188, RFC 7258, DOI 10.17487/RFC7258, May
2014, <http://www.rfc-editor.org/info/rfc7258>.
[SERVICE-WORKERS] [SERVICE-WORKERS]
Russell, A., Song, J., and J. Archibald, "Service Russell, A., Song, J., and J. Archibald, "Service
Workers", n.d., <http://www.w3.org/TR/service-workers/>. Workers", n.d., <http://www.w3.org/TR/service-workers/>.
7.2. Informative References 7.2. Informative References
[RFC7034] Ross, D. and T. Gondrom, "HTTP Header Field X-Frame-
Options", RFC 7034, DOI 10.17487/RFC7034, October 2013,
<http://www.rfc-editor.org/info/rfc7034>.
[app-isolation] [app-isolation]
Chen, E., Bau, J., Reis, C., Barth, A., and C. Jackson, Chen, E., Bau, J., Reis, C., Barth, A., and C. Jackson,
"App Isolation - Get the Security of Multiple Browsers "App Isolation - Get the Security of Multiple Browsers
with Just One", n.d., <http://www.collinjackson.com/ with Just One", n.d.,
research/papers/appisolation.pdf>. <http://www.collinjackson.com/research/papers/
appisolation.pdf>.
[pixel-perfect] [pixel-perfect]
Stone, P., "Pixel Perfect Timing Attacks with HTML5", Stone, P., "Pixel Perfect Timing Attacks with HTML5",
n.d., <http://www.contextis.com/documents/2/ n.d., <http://www.contextis.com/documents/2/
Browser_Timing_Attacks.pdf>. Browser_Timing_Attacks.pdf>.
[prerendering] [prerendering]
Bentzel, C., "Chrome Prerendering", n.d., Bentzel, C., "Chrome Prerendering", n.d.,
<https://www.chromium.org/developers/design-documents/ <https://www.chromium.org/developers/design-documents/
prerender>. prerender>.
[RFC7034] Ross, D. and T. Gondrom, "HTTP Header Field X-Frame-
Options", RFC 7034, DOI 10.17487/RFC7034, October 2013,
<http://www.rfc-editor.org/info/rfc7034>.
[samedomain-cookies] [samedomain-cookies]
Goodwin, M. and J. Walker, "SameDomain Cookie Flag", 2011, Goodwin, M. and J. Walker, "SameDomain Cookie Flag", 2011,
<http://people.mozilla.org/~mgoodwin/SameDomain/ <http://people.mozilla.org/~mgoodwin/SameDomain/
samedomain-latest.txt>. samedomain-latest.txt>.
[secure-contexts]
West, M., "Secure Contexts", n.d., <https://w3c.github.io/
webappsec-secure-contexts/>.
Appendix A. Acknowledgements Appendix A. Acknowledgements
The same-site cookie concept documented here is indebited to Mark The same-site cookie concept documented here is indebited to Mark
Goodwin's and Joe Walker's [samedomain-cookies]. Michal Zalewski, Goodwin's and Joe Walker's [samedomain-cookies]. Michal Zalewski,
Artur Janc, and Ryan Sleevi provided particularly valuable feedback Artur Janc, Ryan Sleevi, and Adam Barth provided particularly
on this document. valuable feedback on this document.
Authors' Addresses Authors' Addresses
Mike West Mike West
Google, Inc Google, Inc
Email: mkwst@google.com Email: mkwst@google.com
URI: https://mikewest.org/ URI: https://mikewest.org/
Mark Goodwin Mark Goodwin
 End of changes. 24 change blocks. 
37 lines changed or deleted 62 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/