Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove no-Domain requirement #46

Merged
merged 4 commits into from
Jul 29, 2022
Merged

Remove no-Domain requirement #46

Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
f5d819e
Remove no-Domain requirement
DCtheTall Jul 14, 2022
1a9ca7e
Review comments
DCtheTall Jul 27, 2022
8c96350
Correct change from review
DCtheTall Jul 27, 2022
11c9199
Fix typo
DCtheTall Jul 27, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 6 additions & 34 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,6 @@ For more information about the design of the Origin-Trial, see the [documentatio
- [Design Principles](#design-principles)
- [Opt-in partitioned cookies](#opt-in-partitioned-cookies)
- [Only sent over secure protocols](#only-sent-over-secure-protocols)
- [Hostname-bound](#hostname-bound)
- [Avoid a large memory footprint](#avoid-a-large-memory-footprint)
- [Detailed Design](#detailed-design)
- [Partitioning model](#partitioning-model)
Expand All @@ -45,7 +44,7 @@ For more information about the design of the Origin-Trial, see the [documentatio
- [Third-party customer support widgets](#third-party-customer-support-widgets)
- [CDN load balancing](#cdn-load-balancing)
- [How to enforce design principles](#how-to-enforce-design-principles)
- [Partitioned cookies must use the `__Host-` prefix](#partitioned-cookies-must-use-the-__host--prefix)
- [`Secure` and `Path` attributes](#secure-and-path-attributes)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does forcing Secure and Path also cause breakage? I'm fine with them being required if not. I really don't expect Secure to, but am less certain on Path.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have not gotten any feedback from partners about breakage due to the Secure requirement, so I am inclined to keep it.

As for Path, the Path=/ requirement is really an artifact of requiring the __Host- prefix. I opened #47 to open a discussion about requiring that CHIPS not be bound to any particular URL path.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI, with the SameSite-by-default cookies change (which has been rolled out to Chrome, and I believe is likely to be rolled out on Firefox soon as well), all cross-site cookies already require the Secure attribute. Given that, it is unlikely that the CHIPS requirement will cause breakage.

- [`HttpOnly` attribute](#httponly-attribute)
- [`SameSite` attribute](#samesite-attribute)
- [`SameParty` attribute](#sameparty-attribute)
Expand All @@ -65,8 +64,6 @@ For more information about the design of the Origin-Trial, see the [documentatio
- [Alternate Designs for CHIPS](#alternate-designs-for-chips)
- [Limit the number of cookies in a partition](#limit-the-number-of-cookies-in-a-partition)
- [Applying the 180 cookies-per-domain limit](#applying-the-180-cookies-per-domain-limit)
- [Requiring the `__Secure-` prefix](#requiring-the-__secure--prefix)
- [Not requiring the `__Host-` prefix](#not-requiring-the-__host--prefix)
- [DNS CNAME’ing](#dns-cnameing)
- [References and Acknowledgements](#references-and-acknowledgements)
- [Acknowledgements](#acknowledgements)
Expand Down Expand Up @@ -284,12 +281,6 @@ See the [Partition all third-party cookies by default](#partition-all-third-part
Partitioned cookies must only be set by and sent over secure protocols.
This helps address some aspects of cookies' [weak confidentiality](https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-07#section-8.5) and [weak integrity](https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-07#section-8.6).

### Hostname-bound

Partitioned cookies should also be hostname bound.
This and the requirement partitioned cookies be sent over secure protocols makes partitioned cookies as close to origin-bound as possible.
We would like to have user agents scope partitioned cookies by port as well, making them origin-scoped, but we think this requirement should only be enforced if/when [Origin-Bound Cookies](https://github.com/sbingler/Origin-Bound-Cookies) is enabled.

### Avoid a large memory footprint

One concern about introducing partitioned cookies is the proliferation of state on users' machines.
Expand Down Expand Up @@ -338,11 +329,11 @@ This algorithm could be added to [section 5.3 of RFC6265bis](https://datatracker
1. Append an attribute to the cookie-attribute-list with an attribute-name of "PartitionKey" and an attribute-value of "partition-key".

Below is the algorithm for storing `Partitioned` cookies.
These steps could be added to [section 5.4 of RFC6265bis](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-07#section-5.4) after the user agent processes the cookie's __Host- prefix.
These steps could be added to [section 5.4 of RFC6265bis](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-07#section-5.4).

DCtheTall marked this conversation as resolved.
Show resolved Hide resolved
1. If the cookie-attribute-list contains an attribute with an attribute-name of "PartitionKey" and the attribute-value is null, then skip the following steps and insert the cookie into the cookie store.

1. If the cookie-name does not start with a case-sensitive match for the string "__Host-", then abort the following steps and ignore the cookie entirely.
1. 1. If the cookie-attribute-list does not contain an attribute with an attribute-name of `Secure` and an attribute with an attribute-name of `Path` and attribute-value of `/` then abort these steps and ignore the cookie entirely.

1. If the cookie line also contains the [`SameParty` attribute](https://github.com/cfredric/sameparty) (the exact semantics of how the `SameParty` attribute is loaded into the cookie-attribute-list is TBD) then abort the following steps and ignore the cookie entirely.

Expand Down Expand Up @@ -430,14 +421,9 @@ When the browser navigates to another top-level site, then subsequent requests t

### How to enforce design principles

#### Partitioned cookies must use the `__Host-` prefix
#### `Secure` and `Path` attributes

User agents must only accept Partitioned cookies which have the `__Host-` prefix.

The `__Host-` prefix requires that the cookie be set with `Secure` and `Path=/` and disallows the `Domain` attribute.
These requirements ensure that partitioned cookies only be set from and sent to secure origins only.
It also would disallow `Domain` cookies which can be shared between different third-party subdomains within a partition.
This requirement make partitioned cookies be as close to third-party origin-bound as possible.
User agenst must reject any cookie set with `Partitioned` that does not also include the `Secure` and `Path=/`.
DCtheTall marked this conversation as resolved.
Show resolved Hide resolved

#### `HttpOnly` attribute

Expand Down Expand Up @@ -498,7 +484,7 @@ Partitioned cookies should be accessible regardless of any choices the user has
The new cookie attribute will be ignored on older clients that don't recognize it and fall back to default behavior.
Since these cookies are intended for third-party contexts, [clients that are incompatible with `SameSite=None`](https://www.chromium.org/updates/same-site/incompatible-clients) may reject cookies with `SameSite=None`.

It is also recommended to still include the `__Host-` prefix.
Although it is not required, it is still recommended to still include the `__Host-` prefix.
Even clients that do not recognize the `Partitioned` attribute still enforce the semantics of the `__Host-` prefix.
This would ensure that cross-site cookies are hostname bound and only sent over secure channels, which is still a security win.

Expand Down Expand Up @@ -641,20 +627,6 @@ When the user returns to a site with an `evil.com` embed, `evil.com` will detect
How much entropy `evil.com` can learn about a particular user from this type of attack has not been explored.
Therefore it is not clear what the relative global and per-partition limits would need to be to prevent `evil.com` from learning any identifiable information about users this way.

### Requiring the `__Secure-` prefix

Cookies with the `__Host-` prefix implicitly have the same properties as cookies with the `__Secure-` prefix.
By requiring partitioned cookies to have the former we guarantee that they also have the same properties as if we required the latter.

### Not requiring the `__Host-` prefix

One alternate design choice is to not require that cookies with the `Partitioned` attribute have a `__Host-` prefix.
Instead, the semantics of the `Partitioned` attribute would include the semantics of `__Host-` prefix cookies (i.e. requiring `Secure` and `Path=/`, disallowing `Domain`).

We decided against this for two reasons.
The first is that clients that do not yet recognize the `Partitioned` attribute may still recognize the `__Host-` prefix and can still benefit from its semantics.
The second is that mixing the semantics of prefixes and attributes is not the right path forward, since it makes the semantics of either more difficult to understand.

### DNS CNAME’ing

Websites can choose to delegate/alias a subdomain to a third-party service provider using DNS CNAME records.
Expand Down