Skip to content

Commit

Permalink
Origin: Clean up examples.
Browse files Browse the repository at this point in the history
  • Loading branch information
@mikewest
mikewest committed Oct 24, 2014
1 parent 1ae666d commit 08af3b1
Show file tree
Hide file tree
Showing 3 changed files with 154 additions and 72 deletions.
18 changes: 14 additions & 4 deletions origin-cookies/draft-west-origin-cookies-00.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -399,7 +399,7 @@
<link href="#rfc.authors" rel="Chapter"/>


<meta name="generator" content="xml2rfc version 2.4.7 - http://tools.ietf.org/tools/xml2rfc" />
<meta name="generator" content="xml2rfc version 2.4.8 - http://tools.ietf.org/tools/xml2rfc" />
<link rel="schema.dct" href="http://purl.org/dc/terms/" />

<meta name="dct.creator" content="West, M." />
Expand Down Expand Up @@ -500,7 +500,7 @@ <h1 id="rfc.section.1"><a href="#rfc.section.1">1.</a> <a href="#introduction" i
<h1 id="rfc.section.1.1"><a href="#rfc.section.1.1">1.1.</a> <a href="#examples" id="examples">Examples</a></h1>
<p id="rfc.section.1.1.p.1">Origin cookies are set via the <samp>Origin</samp> attribute in the <samp>Set-Cookie</samp> header field. That is, given a server&#8217;s response to a user agent which contains the following header field:</p>
<pre>
Set-Cookie: SID=31d4d96e407aad42; Origin
Set-Cookie: SID=31d4d96e407aad42; Secure; HttpOnly; Origin
</pre>
<p id="rfc.section.1.1.p.2">Subsequent requests from that user agent can be expected to contain the following header field:</p>
<pre>
Expand All @@ -509,13 +509,23 @@ <h1 id="rfc.section.1.1"><a href="#rfc.section.1.1">1.1.</a> <a href="#examples"
<p id="rfc.section.1.1.p.3">Non-origin cookies are returned in the <samp>Cookie</samp> header field as usual. If both non-origin and origin cookies are present for an origin, then both a <samp>Cookie</samp> and <samp>Origin-Cookie</samp> header field will be present. That is, given a server&#8217;s response to a user agent which contains the following header fields:</p>
<pre>
Set-Cookie: SID=31d4d96e407aad42; Origin
Set-Cookie: lang=en-US; Path=/; Domain=example.com
Set-Cookie: lang=en-US;
</pre>
<p id="rfc.section.1.1.p.4">Subsequent requests from that user agent can be expected to contain the following header fields:</p>
<pre>
Cookie: lang=en-US
Origin-Cookie: SID=31d4d96e407aad42
</pre>
<p id="rfc.section.1.1.p.5">User agents that support origin cookies are required to advertise their support for such by sending an <samp>Origin-Cookie</samp> header whenever a <samp>Cookie</samp> header is sent. That is, given the following server response:</p>
<pre>
Set-Cookie: lang=en-US; Secure; HttpOnly
</pre>
<p id="rfc.section.1.1.p.6">Subsequent requests from a user agent that supports origin cookies can be expected to contain the following header fields:</p>
<pre>
Cookie: lang=en-US
Origin-Cookie:
</pre>
<p id="rfc.section.1.1.p.7">Note that the <samp>Origin-Cookie</samp> field is empty.</p>
<h1 id="rfc.section.2"><a href="#rfc.section.2">2.</a> <a href="#terminology-and-notation" id="terminology-and-notation">Terminology and notation</a></h1>
<p id="rfc.section.2.p.1">The key words &#8220;MUST&#8221;, &#8220;MUST NOT&#8221;, &#8220;REQUIRED&#8221;, &#8220;SHALL&#8221;, &#8220;SHALL NOT&#8221;, &#8220;SHOULD&#8221;, &#8220;SHOULD NOT&#8221;, &#8220;RECOMMENDED&#8221;, &#8220;MAY&#8221;, and &#8220;OPTIONAL&#8221; in this document are to be interpreted as described in <a href="#RFC2119">[RFC2119]</a>.</p>
<p id="rfc.section.2.p.2">This specification uses the Augmented Backus-Naur Form (ABNF) notation of <a href="#RFC5234">[RFC5234]</a>.</p>
Expand Down Expand Up @@ -558,7 +568,7 @@ <h1 id="rfc.section.4.3"><a href="#rfc.section.4.3">4.3.</a> <a href="#cookie-he
</ol>
<h1 id="rfc.section.4.4"><a href="#rfc.section.4.4">4.4.</a> <a href="#origin-cookie-header-field" id="origin-cookie-header-field">The &#8220;Origin-Cookie&#8221; header field</a></h1>
<p id="rfc.section.4.4.p.1">The user agent includes stored cookies whose <samp>origin-flag</samp> is set in the <samp>Origin-Cookie</samp> request header. When the user agent generates an HTTP request, it MUST NOT attach more than one <samp>Origin-Cookie</samp> header field.</p>
<p id="rfc.section.4.4.p.2">A user agent MAY omit the <samp>Origin-Cookie</samp> header in its entirety. For example, the user agent may wish to block sending cookies during &#8220;third-party&#8221; requests.</p>
<p id="rfc.section.4.4.p.2">A user agent MAY omit the <samp>Origin-Cookie</samp> header in its entirety. For example, the user agent may wish to block sending cookies during &#8220;third-party&#8221; requests. If, however, a <samp>Cookie</samp> header is sent, a user agent MUST send an <samp>Origin-Cookie</samp> header.</p>
<p id="rfc.section.4.4.p.3">If the user agent does attach an <samp>Origin-Cookie</samp> header field to an HTTP request, the user agent MUST send the <samp>cookie-string</samp> as defined below as the value of the header field.</p>
<p id="rfc.section.4.4.p.4">The user agent MUST use an algorithm equivalent to the following algorithm to compute the <samp>cookie-string</samp> from a cookie store and a <samp>request-uri</samp>:</p>
<p/>
Expand Down
186 changes: 121 additions & 65 deletions origin-cookies/draft-west-origin-cookies-00.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,27 +65,27 @@ Table of Contents

1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Examples . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology and notation . . . . . . . . . . . . . . . . . . 3
2. Terminology and notation . . . . . . . . . . . . . . . . . . 4
3. Server Requirements . . . . . . . . . . . . . . . . . . . . . 4
3.1. Grammar . . . . . . . . . . . . . . . . . . . . . . . . . 4
3.2. Semantics of the "Origin" Attribute (Non-Normative) . . . 4
4. User Agent Requirements . . . . . . . . . . . . . . . . . . . 4
4.1. The "Origin" attribute . . . . . . . . . . . . . . . . . 4
4. User Agent Requirements . . . . . . . . . . . . . . . . . . . 5
4.1. The "Origin" attribute . . . . . . . . . . . . . . . . . 5
4.2. Monkey-patching the Storage Model . . . . . . . . . . . . 5
4.3. Monkey-patching the "Cookie" header . . . . . . . . . . . 6
4.4. The "Origin-Cookie" header field . . . . . . . . . . . . 6
5. Security Considerations . . . . . . . . . . . . . . . . . . . 7
5.1. "HttpOnly" . . . . . . . . . . . . . . . . . . . . . . . 7
5.2. Paths are ignored . . . . . . . . . . . . . . . . . . . . 7
5.1. "HttpOnly" . . . . . . . . . . . . . . . . . . . . . . . 8
5.2. Paths are ignored . . . . . . . . . . . . . . . . . . . . 8
5.3. Downgrade attacks . . . . . . . . . . . . . . . . . . . . 8
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
6.1. Origin-Cookie . . . . . . . . . . . . . . . . . . . . . . 8
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 9
8.1. Normative References . . . . . . . . . . . . . . . . . . 9
8.2. Informative References . . . . . . . . . . . . . . . . . 9
Appendix A. Open Issues . . . . . . . . . . . . . . . . . . . . 9
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 9
Appendix A. Open Issues . . . . . . . . . . . . . . . . . . . . 10
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 10

1. Introduction

Expand Down Expand Up @@ -130,7 +130,7 @@ Internet-Draft Origin-Cookies October 2014
header field. That is, given a server's response to a user agent
which contains the following header field:

Set-Cookie: SID=31d4d96e407aad42; Origin
Set-Cookie: SID=31d4d96e407aad42; Secure; HttpOnly; Origin

Subsequent requests from that user agent can be expected to contain
the following header field:
Expand All @@ -144,23 +144,23 @@ Internet-Draft Origin-Cookies October 2014
contains the following header fields:

Set-Cookie: SID=31d4d96e407aad42; Origin
Set-Cookie: lang=en-US; Path=/; Domain=example.com
Set-Cookie: lang=en-US;

Subsequent requests from that user agent can be expected to contain
the following header fields:

Cookie: lang=en-US
Origin-Cookie: SID=31d4d96e407aad42

2. Terminology and notation

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
User agents that support origin cookies are required to advertise
their support for such by sending an "Origin-Cookie" header whenever
a "Cookie" header is sent. That is, given the following server
response:

This specification uses the Augmented Backus-Naur Form (ABNF)
notation of [RFC5234].
Set-Cookie: lang=en-US; Secure; HttpOnly

Subsequent requests from a user agent that supports origin cookies
can be expected to contain the following header fields:



Expand All @@ -170,6 +170,20 @@ West Expires April 27, 2015 [Page 3]
Internet-Draft Origin-Cookies October 2014


Cookie: lang=en-US
Origin-Cookie:

Note that the "Origin-Cookie" field is empty.

2. Terminology and notation

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].

This specification uses the Augmented Backus-Naur Form (ABNF)
notation of [RFC5234].

Two sequences of octets are said to case-insensitively match each
other if and only if they are equivalent under the "i;ascii-casemap"
collation defined in [RFC4790].
Expand Down Expand Up @@ -201,6 +215,17 @@ Internet-Draft Origin-Cookies October 2014
The changes to the "Cookie" header field suggested in Section 4.3
provide additional detail.







West Expires April 27, 2015 [Page 4]

Internet-Draft Origin-Cookies October 2014


4. User Agent Requirements

This section describes extensions to [RFC6265] necessary in order to
Expand All @@ -216,16 +241,6 @@ Internet-Draft Origin-Cookies October 2014
the user agent MUST append an attribute to the cookie-attribute-list
with an attribute-name of "Origin" and an empty attribute-value.






West Expires April 27, 2015 [Page 4]

Internet-Draft Origin-Cookies October 2014


4.2. Monkey-patching the Storage Model

Note: There's got to be a better way to specify this. Until I figure
Expand Down Expand Up @@ -259,6 +274,14 @@ Internet-Draft Origin-Cookies October 2014
Otherwise: set the cookie's "origin-flag" to false, and its
"origin" to "null".




West Expires April 27, 2015 [Page 5]

Internet-Draft Origin-Cookies October 2014


2. If the newly created cookie's "origin-flag" is set to true,
and the cookie store contains a cookie with the same"name",
"origin", and "origin-flag" as the newly created cookie:
Expand All @@ -275,13 +298,6 @@ Internet-Draft Origin-Cookies October 2014
3. Change the priority order for excess cookie removal to the
following:



West Expires April 27, 2015 [Page 5]

Internet-Draft Origin-Cookies October 2014


1. Expired cookies.

2. Cookies whose "origin-flag" is false that share a "domain"
Expand Down Expand Up @@ -314,7 +330,16 @@ Internet-Draft Origin-Cookies October 2014

A user agent MAY omit the "Origin-Cookie" header in its entirety.
For example, the user agent may wish to block sending cookies during
"third-party" requests.



West Expires April 27, 2015 [Page 6]

Internet-Draft Origin-Cookies October 2014


"third-party" requests. If, however, a "Cookie" header is sent, a
user agent MUST send an "Origin-Cookie" header.

If the user agent does attach an "Origin-Cookie" header field to an
HTTP request, the user agent MUST send the "cookie-string" as defined
Expand All @@ -329,15 +354,6 @@ Internet-Draft Origin-Cookies October 2014

* The cookie's "origin-flag" is true.





West Expires April 27, 2015 [Page 6]

Internet-Draft Origin-Cookies October 2014


* The cookie's "origin" matches the origin of "request-uri".
[RFC6454]

Expand Down Expand Up @@ -370,6 +386,14 @@ Internet-Draft Origin-Cookies October 2014
are substantially improved if the "Origin" attribute is set.
Further:




West Expires April 27, 2015 [Page 7]

Internet-Draft Origin-Cookies October 2014


5.1. "HttpOnly"

Note that origin cookies are only accessible via HTTP. "Non-HTTP"
Expand All @@ -385,15 +409,6 @@ Internet-Draft Origin-Cookies October 2014

That said, paths offer little to no protection against malicious
code. The origin is the only security boundry enforced rigorously by




West Expires April 27, 2015 [Page 7]

Internet-Draft Origin-Cookies October 2014


user agents; it is therefore the only security boundry that server
operators ought to rely on for isolation.

Expand Down Expand Up @@ -428,6 +443,13 @@ Internet-Draft Origin-Cookies October 2014

o Status: standard



West Expires April 27, 2015 [Page 8]

Internet-Draft Origin-Cookies October 2014


o Author/Change controller: IETF

o Specification document: This specification (see Section 4.4)
Expand All @@ -439,17 +461,6 @@ Internet-Draft Origin-Cookies October 2014
Andrew Bortz, Adam Barth, and Alexei Czeskis' paper
[origin-cookies-w2sp].







West Expires April 27, 2015 [Page 8]

Internet-Draft Origin-Cookies October 2014


8. References

8.1. Normative References
Expand Down Expand Up @@ -485,6 +496,16 @@ Internet-Draft Origin-Cookies October 2014
Session Integrity for Web Applications", 2011,
<http://w2spconf.com/2011/papers/session-integrity.pdf>.






West Expires April 27, 2015 [Page 9]

Internet-Draft Origin-Cookies October 2014


Appendix A. Open Issues

o Should origin cookies be settable via "document.cookie"? Does
Expand All @@ -501,4 +522,39 @@ Author's Address



West Expires April 27, 2015 [Page 9]



































West Expires April 27, 2015 [Page 10]
Loading

0 comments on commit 08af3b1

Please sign in to comment.