Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Thoughts on letting CSP govern attributes that must appear in Set-Cookie #152

Closed
aidantwoods opened this issue Nov 17, 2016 · 5 comments
Closed

Thoughts on letting CSP govern attributes that must appear in Set-Cookie #152

aidantwoods opened this issue Nov 17, 2016 · 5 comments
Milestone
Future

Comments

@aidantwoods
Copy link

I realise this is mostly contrary to what CSP is conventionally: a whitelist. Though there are a few exceptions, notably block-all-mixed-content, which only performs blocking if proactively enabled.

CSP has all sorts of directives controlling to where the page is allowed to communicate, though if an attacker on the network can exploit an XSS vuln, then they could exfiltrate data from the page via a deliberately insecurely set cookie.

Okay, so that's the extreme example.

More usefully, I wonder whether an application owner may simply want to specify a list of cookie names that it wishes to ensure are set with the secure and/or HttpOnly flags, or not at all (or possibly auto-upgrade them). I can imagine a few examples where cookies are set in various places throughout code, and the application owner simply wishes to ensure that some known authentication cookies are always set securely, and out of the hands of JS.

PS. I also note that CSP is parsed before Set-Cookie here (https://w3c.github.io/webappsec-csp/#fetch-integration), so perhaps this wouldn't be too in-plausible a change?
@aidantwoods
Copy link
Author

I guess this would be a proposal to allow CSP to say:

  1. All cookies must be set with secure and HttpOnly
  2. Here is a list of cookies which must be set with secure and HttpOnly
  3. Cookies can be set without secure or HttpOnly

I guess 3. would be the default for backwards compatibility.
Possibly allow some granularity on whether secure and HttpOnly must be set, or whether just one of the flags is enforced in 1. and 2.

@mikewest mikewest added this to the CSP3 CR milestone May 10, 2017
@mikewest
Copy link
Member

Leaving this as a feature request for the future. I think something like this is worth doing, but probably more as part of https://wicg.github.io/origin-policy/ than CSP.

@mikewest mikewest modified the milestones: Future, CSP3 CR May 10, 2017
@aidantwoods
Copy link
Author

Sounds good to me!

(Needless to say almost), in the above proposal sameSite should also be considered, along with any newer attributes that might exist when this is implemented.

Shall I raise this over at https://github.com/WICG/origin-policy ?

@Malvoz
Copy link

Malvoz commented Aug 25, 2018
edited
Loading

I suppose this issue should be closed in favor of WICG/origin-policy#8

@dveditz
Copy link
Member

dveditz commented Aug 27, 2018

thanks, sounds right.

@dveditz dveditz closed this as completed Aug 27, 2018
@Malvoz Malvoz mentioned this issue Aug 27, 2018
Open
@Malvoz Malvoz mentioned this issue Oct 21, 2018
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
Future
Development

No branches or pull requests
4 participants
@mikewest @dveditz @aidantwoods @Malvoz