http-extensions RFC 6265bis: possibility of taking the port into account for "schemeful-cookies" (aka same-origin cookies)

RFC 6265bis: possibility of taking the port into account for "schemeful-cookies" (aka same-origin cookies)

Open randomstuff opened this issue 4 years ago • 4 comments

Would it make sense/be possible to take the port into account as well for "schemeful-cookies" (making them same-origin cookies)?

For http: localhost-bound applications, the ability to scope the cookies per origin would be useful. Without this, the cookies of a http://127.0.0.1:4567 application can be exfiltrated by other local users by:

spawning another localhost HTTP service such as http://127.0.0.1:4568;
triggering a request to this page from the user.

Jun 01 '21 07:06 randomstuff

This has been proposed: https://github.com/sbingler/Origin-Bound-Cookies

Jun 04 '21 18:06 chlily1

(Adding defer label as I don't think we'll get to this in 6265bis.)

Jun 04 '21 18:06 chlily1

Looking at the linked GitHub doc, it seems this is no longer schemeful cookies but origin-bound cookies. True? If so, please change the title.

Sep 30 '21 20:09 johnwilander

@johnwilander, the title is a reference to proposal in the incrementalism draft.

Oct 01 '21 11:10 randomstuff

http-extensions http-extensions copied to clipboard

RFC 6265bis: possibility of taking the port into account for "schemeful-cookies" (aka same-origin cookies)

http-extensions
http-extensions copied to clipboard