Skip to content

Add instructions for partitioned cookies with the same name/domain/path #9

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Nov 9, 2022
Merged

Add instructions for partitioned cookies with the same name/domain/path #9

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
f02f414
Add instructions for handling partitioned cookies with the same name/…
DCtheTall Nov 8, 2022
693eb29
Update draft-cutler-httpbis-partitioned-cookies.md
DCtheTall Nov 9, 2022
a34c9ad
Update draft-cutler-httpbis-partitioned-cookies.md
DCtheTall Nov 9, 2022
46485e9
add rationale
DCtheTall Nov 9, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions draft-cutler-httpbis-partitioned-cookies.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,18 @@ The following could also be added as an additional step to section 5.4:
If the cookie-attribute-list does contain an attribute with an attribute-name of "Partitioned" and the secure-only-flag is false, abort these steps and ignore the cookie entirely.<br><br>
Otherwise, set partition-key to cookie-partition-key defined in section 5.X.X.

## Partitioned Cookies with the Same Name/Domain/Path

In order to prevent cross-partition leaks, we need to allow sites to set cookies with the same name, domain, and path as long as they have different partition keys.
In order to achieve this, we suggest the following edit to step 22 of {{Section 5.5 (Storage Model) of RFC6265bis}}, note that steps b-d below are not changed.

{:quote}
> 1. If the cookie store contains a cookie with the same name, domain, host-only-flag, path, and partition-key as the newly-created cookie:<br><br>
a. Let old-cookie be the existing cookie with the same name, domain, host-only-flag, path, and partition-key as the newly-created cookie. (Notice that this algorithm maintains the invariant that there is at most one such cookie.)<br><br>
b. If the newly-created cookie was received from a "non-HTTP" API and the old-cookie's http-only-flag is true, abort these steps and ignore the newly created cookie entirely.<br><br>
c. Update the creation-time of the newly-created cookie to match the creation-time of the old-cookie.<br><br>
d. Remove the old-cookie from the cookie store.

## Attaching a Partitioned Cookie to a Request

The following could be added to the first step of the algorithm in section 5.6.3 (Retrieval Algorithm):
Expand Down Expand Up @@ -150,6 +162,9 @@ Another privacy consideration is that the privacy guarantees of partitioned cook
Unfortunately, this type of attack is unavoidable due to the nature of extensions.
Even if we block partitioned cookies (or even all cookies) from extensions' background contexts, an extension could still use content scripts to write cross-site identifiers to the DOM which the site's own script could copy to the site's partitioned cookie jar.

Finally, sites should be able to set partitioned cookies with the same name, domain, and path in different partitions.
Otherwise, the presence or absence of a cookie with a particular name/domain/path would allow sites to learn about that user's activity on different top-level sites that make subresource requests to the cookie's domain.

# Implementation Considerations

## Applying Limits to Partitioned Cookie Jars
Expand Down