| Network Working Group | M. West |
| Internet-Draft | |
| Intended status: Standards Track | May 7, 2019 |
| Expires: November 8, 2019 |
First-Party Sets and SameSite Cookies
draft-west-cookie-samesite-firstparty-latest
This document proposes the addition of two new values to the SameSite cookie attribute defined in RFC6265bis [I-D.ietf-httpbis-rfc6265bis]: FirstPartyLax and FirstPartyStrict. These values are conceptually similar to the existing Lax and Strict values, but base the delivery checks on the First-Party Sets [first-party-set] of a request’s initiator and target, rather than on their respective registrable domains. This widens the scope of a given cookie’s applicability, enabling entities that have sharded themselves across multiple registrable domains to maintain HTTP state without exposing themselves to the risks of SameSite=None.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 8, 2019.
Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
The SameSite attribute enables developers to limit the scope of a given cookie’s delivery, mitigating the risks of some classes of cross-site request forgery (CSRF) attack by preventing certain cookies from being delivered along with requests that are initiated from a cross-site context.
For example, consider the exciting and dynamic https://internet-bookstore.example/, which uses SameSite=Lax cookies as one layer in its defense against CSRF attack. If https://example.com includes resources from https://internet-bookstore.example/, the request will be considered cross-site, and the authentication cookies will not be delivered. Without that state, CSRF attacks will be significantly less effective.
When the site expands into new locations, it may wish to register a domain under a localized TLD, perhaps https://internet-bookstore.测试/. Likewise, it may decide to shard itself into distinct brands, like https://internet-things-other-than-books-store.example/. Though the same entity controls each of these origins, they have distict registrable domains, and therefore the authentication cookie noted above will not be delivered from one site to resources on another. This frustrates a number of reasonable use cases, including single-sign on. Today, SameSite=None is necessary in order to support these use cases by enabling a given cookie to be delivered across registrable domains. SameSite=None, unfortunately, exposes the site to more risk than it would prefer, as it removes a layer of CSRF defense.
First-Party Sets [first-party-set] proposes a mechanism by which developers can bind each of their distinct registrable domains into a set which mutually agrees to be treated as a single entity. It would be helpful if this concept could be folded into the SameSite attribute, perhaps via new FirstPartyLax and FirstPartyStrict values. These could be conceptually similar to the existing Lax and Strict values, but base their delivery checks on the First-Party Sets of a given request’s initiator and target, rather than on their respective registrable domains.
This document spells out that proposal in a bit more detail.
The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “NOT RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.
This document adjusts some syntax from [I-D.ietf-httpbis-rfc6265bis], and in doing so, relies upon the Augmented Backus-Naur Form (ABNF) notation of [RFC5234].
HTTP requests are considered “same-site” or “cross-site”, as defined in [I-D.ietf-httpbis-rfc6265bis].
First-Party Sets are defined in [first-party-set]. Two origins (“A” and “B”) are said to be in the same first-party set if the first-party set associated with “A” contains “B”.
A request is considered to be “first-party” if the target origin is in the same first-party set as the request’s initiator, and “third-party” otherwise. That is, for a given request (“r”), the following algorithm returns first-party or third-party:
A document is considered “first-party with its ancestors” if its origin is in the same First-Party Set with the origins of each of the document’s ancestors [HTML]. That is, for a given document (“d”), the following algorithm returns first-party or third-party:
ISSUE: Move these definitions to the First-Party Sets spec, when one exists.
[I-D.ietf-httpbis-rfc6265bis] defines three values for cookies’ SameSite attribute: None, which enables delivery for same-site and cross-site requests; Strict, which enables delivery only for same-site requests; and Lax, which enables delivery for same-site requests as well as for cross-site top-level navigations.
In the presence of first-party sets, it makes sense to extend this syntax a bit to include FirstParty, which will allow delivery of cookies within a first-party set, and therefore will support the use cases that first-party sets addresses (a given first-party’s single sign-on, for instance). For example, given two distinct origins https://sso.example/ and https://application.example/ that are contained in the same first-party set:
To implement this change, adjust [I-D.ietf-httpbis-rfc6265bis] as follows:
First, change the samesite-value definition from:
samesite-value = "Strict" / "Lax" / "None"
to:
samesite-value = "Lax" / "Strict" / "FirstPartyLax" / "FirstPartyStrict" / "None"
Second, alter the SameSite attribute’s processing algorithm (Section 5.3.7 of [I-D.ietf-httpbis-rfc6265bis]) to add a new step 4 and 5:
4. If cookie-av's attribute-value is a case-insensitive
match for "FirstPartyLax", set `enforcement` to "FirstPartyLax".
5. If cookie-av's attribute-value is a case-insensitive
match for "FirstPartyStrict", set `enforcement` to "FirstPartyStrict".
Third, alter the cookie storage model (Section 5.4 of [I-D.ietf-httpbis-rfc6265bis]) as follows:
Change step 14.1 from:
1. If the cookie was received from a "non-HTTP" API, and
the API was called from a context whose "site for
cookies" is not an exact match for request-uri's host's
registered domain, then abort these steps and ignore the
newly created cookie entirely.
to:
1. If the cookie was received from a "non-HTTP" API:
1. If the cookie's `same-site-flag` is "Lax" or
"Strict", and the API was called from a context
whose "site for cookies" is not an exact match for
request-uri's host's registered domain, then abort
these steps and ignore the newly-created cookie
entirely.
2. If the cookie's same-site-flag` is "FirstPartyLax"
or "FirstPartyStrict", and the API was called from
a context that is not first-party with its
ancestors, then abort these steps and ignore the
newly-created cookie entirely.
Change step 14.2 from:
2. If the cookie was received from a "same-site" request,
skip the remaining substeps and continue processing the
cookie.
to:
2. If the cookie's `same-site-flag` is "Lax" or "Strict",
and the cookie was received from a "same-site" request,
then skip the remaining substeps and continue processing
the cookie.
Add a new step 14.3 after the new step 14.2:
3. If the cookie's `same-site-flag` is "FirstPartyLax" or
"FirstPartyStrict", and the cookie was received from a
"first-party" request, then skip the remaining substeps
and continue processing the cookie.
Fourth, alter the last conditional in step 1 if the Cookie header algorithm (Section 5.5 of [I-D.ietf-httpbis-rfc6265bis]) from:
* If the cookie's same-site-flag is not "None", and the
HTTP request is cross-site then exclude the cookie
unless all of the following statements hold:
1. The same-site-flag is "Lax".
2. The HTTP request's method is "safe".
3. The HTTP request's target browsing context is a
top-level browsing context.
to:
* If the HTTP request is cross-site, then exclude the
cookie unless one of the following statements holds:
1. The cookie's `same-site-flag` is "None".
2. The cookie's `same-site-flag` is either "Lax" or
"FirstPartyLax", the HTTP request's method is
"safe", and the HTTP request's target browsing
context is a top-level browsing context.
3. The cookie's `same-site-flag` is either
"FirstPartyLax" or "FirstPartyStrict", and the HTTP
request is a first-party request.
Both FirstPartyLax and FirstPartyStrict provide weaker defenses against CSRF than their Lax and Strict counterparts, as they enable authenticated requests from a larger set of initiating contexts. That said, they also provide deployment benefits, as they’re usable in some contexts where Lax and Strict would be too restrictive (e.g. the localized registrable domains in the introduction).
First-Party Sets can only be created for secure origins, as unauthenticated transport doesn’t give any guarantees that the assertions we use to build the set are in fact being delivered by the entity which controls the server. This has the side-effect of ensuring that FirstPartyLax and FirstPartyStrict cookies can only be delivered to secure cross-site origins, which has the exciting side effect of providing limited mitigation of monitoring by network attackers [RFC7258].
This document has no IANA actions.
| [first-party-set] | West, M., "First-Party Sets", n.d.. |
| [I-D.ietf-httpbis-rfc6265bis] | Barth, A. and M. West, "Cookies: HTTP State Management Mechanism", Internet-Draft draft-ietf-httpbis-rfc6265bis-03, April 2019. |
| [RFC2119] | Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997. |
| [RFC5234] | Crocker, D. and P. Overell, "Augmented BNF for Syntax Specifications: ABNF", STD 68, RFC 5234, DOI 10.17487/RFC5234, January 2008. |
| [RFC8174] | Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017. |
| [HTML] | Hickson, I., Pieters, S., van Kesteren, A., Jägenstedt, P. and D. Denicola, "HTML", n.d.. |
| [I-D.west-http-state-tokens] | West, M., "HTTP State Tokens", Internet-Draft draft-west-http-state-tokens-00, March 2019. |
| [mixed-content] | West, M., "Mixed Content", n.d.. |
| [pref-cookie] | Soltani, A., Peterson, A. and B. Gellman, "NSA uses Google cookies to pinpoint targets for hacking", December 2013. |
| [RFC6265] | Barth, A., "HTTP State Management Mechanism", RFC 6265, DOI 10.17487/RFC6265, April 2011. |
| [RFC7258] | Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an Attack", BCP 188, RFC 7258, DOI 10.17487/RFC7258, May 2014. |
Conversations with a number of folks at 2019’s HTTP Workshop helped me clarify my thinking around the incremental improvements we can make to cookies. In particular, Martin Thomson and Anne van Kesteren provided insightful feedback.