This specification is not being actively maintained,
and should not be used as a guide for implementations.
It may be revived in the future,
but for now should be considered obsolete.
If you have questions or comments on this specification,
please send an email to the editors.
This Note provides a historical reference for a proposed set of mechanisms
by which web developers can limit the ways
in which cookies may be set in the context of their sites and applications.
Status of this document
This section describes the status of this document at the time of
its publication. Other documents may supersede this document. A list of
current W3C publications and the latest revision of this technical report
can be found in the W3C technical reports
index at https://www.w3.org/TR/.
Work on this document has been discontinued and it should not be
referenced or used as a basis for implementation.
The (archived) public mailing list public-webappsec@w3.org (see instructions)
is preferred for discussion of this specification.
When sending e-mail,
please put the text “csp-cookies” in the subject,
preferably like this:
“[csp-cookies] …summary of comment…”
This document is a NOTE.
Publication as a Note does not imply endorsement by the W3C
Membership. It is inappropriate to cite this
document as other than work in progress.
Cookies are an HTTP state management mechanism that web developers rely on
heavily for important things like authentication. They are also quite fragile,
and have scoping rules that don’t mesh well with the origin model that
developers are familiar with. Cookies flow freely between schemes by default, can be set from subdomains or
limited to paths, and ignore ports entirely. The
disconnect between cookies and other types of storage opens up a number of
risks that are difficult to fully mitigate. See [YUMMY-COOKIES] for some
real-world examples of problems that have cropped up in the past.
This document defines mechanisms which allow developers to limit the ways in
which cookies can be set for a given protected resource.
1.1. Examples
MegaCorp Inc. hosts a number of pages which have no real need to write
cookies. Following the principle of least privilege, the clever developers
responsible for those pages send the following headers along with every HTTP
response, ensuring that no cookies can be set via Set-Cookie or document.cookie:
MegaCorp Inc. hosts a number of pages on http://non-secure.example.com which need to write cookies, but don’t need those cookies to span
subdomains. The following header ensures that cookies can only be set via Set-Cookie or document.cookie if those cookies are "host only" (e.g. the
cookie’s domain attribute is empty):
MegaCorp Inc. hosts a number of pages on https://secure.example.com which need to write cookies, but don’t need those cookies to span
subdomains. They’ll certainly set the host property, just
like the previous example, but since this is a secure site, they also wish
to ensure that any cookies they set also contain the secure attribute.
They can do so with the following header:
cookie-scope is a Content Security Policy directive[CSP] which restricts the cookies[RFC6265] which can be set in a particular context. The syntax is described by the
following ABNF grammar [RFC5234] (including the RWS rule
from [RFC7230]):
"secure" allows cookies to be set with a secure attribute, and will block setting any non-secure cookies.
These values MAY be combined in order to tighten the restrictions on a cookie.
That is, if both "host" and "secure" are
present, then cookies may only be set which are both secure and host-only.
If "none" is present with any combination of the other values,
no cookies may be set.
Erik Nygren proposed adding path restrictions as well. Is that worthwhile?
Monkey patching! Hey, maybe it’s time to reopen that cookie RFC after
all, eh @mnot? :)
We’ll need a mechanism to restrict reading from document.cookie, but I’d like something less specific than cookie-scope disable-dom-access or something similar. The linked GitHub bug is a proposal
that’s a bit more general and widely applicable. <https://github.com/w3c/webappsec-csp/issues/42>
3. Algorithms
3.1. Is cookie blocked for settings?
Given a cookie (cookie), and an environment settings
object (settings), this algorithm returns "Allowed" if cookie can be written, and "Blocked" if it violates one or
more of settings’s enforced Content Security Policies:
If token matches the grammar for scoping-rules, insert token into values.
Return values.
4. Security Considerations
4.1. Existing Cookies
Note that the mechanisms defined here do not protect against cookies that
already exist in a user’s cookie store. Those cookies are delivered
along with the HTTP request, before Content Security Policy can be delivered
and applied. It is possible that future work like [CSP-PINNING] might
enable these kinds of a priori restrictions, but, even then,
CSP should be seen as a mitigation strategy, layered on top of filters and
sanity checks for incoming data.
5. Acknowledgements
Mark Nottingham proposed this directive several years ago. Sorry it took so
long, Mark!
Conformance
Document conventions
Conformance requirements are expressed with a combination of
descriptive assertions and RFC 2119 terminology. The key words “MUST”,
“MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”,
“RECOMMENDED”, “MAY”, and “OPTIONAL” in the normative parts of this
document are to be interpreted as described in RFC 2119.
However, for readability, these words do not appear in all uppercase
letters in this specification.
All of the text of this specification is normative except sections
explicitly marked as non-normative, examples, and notes. [RFC2119]
Examples in this specification are introduced with the words “for example”
or are set apart from the normative text with class="example",
like this:
This is an example of an informative example.
Informative notes begin with the word “Note” and are set apart from the
normative text with class="note", like this:
Note, this is an informative note.
Conformant Algorithms
Requirements phrased in the imperative as part of algorithms (such as
"strip any leading space characters" or "return false and abort these
steps") are to be interpreted with the meaning of the key word ("must",
"should", "may", etc) used in introducing the algorithm.
Conformance requirements phrased as algorithms or specific steps can be
implemented in any manner, so long as the end result is equivalent. In
particular, the algorithms defined in this specification are intended to
be easy to understand and are not intended to be performant. Implementers
are encouraged to optimize.
Erik Nygren proposed adding path restrictions as well. Is that worthwhile? ↵
Monkey patching! Hey, maybe it’s time to reopen that cookie RFC after
all, eh @mnot? :) ↵
We’ll need a mechanism to restrict reading from document.cookie, but I’d like something less specific than cookie-scope disable-dom-access or something similar. The linked GitHub bug is a proposal
that’s a bit more general and widely applicable. <https://github.com/w3c/webappsec-csp/issues/42> ↵