+net-dev and security-dev via BCC.
Contact emails
Spec
https://tools.ietf.org/html/draft-west-first-party-cookies
Cookies are a form of ambient authority, attached by default to requests the user agent sends on a user's behalf to a particular host. Even when an attacker doesn't know the contents of a user's cookies, she can still execute commands on the user's behalf (and with the user's authority) by asking the user agent to send HTTP requests to unwary servers.
Link to “Intent to Implement” blink-dev discussion
https://groups.google.com/a/chromium.org/d/msg/blink-dev/vT98riFhhT0/3Q-lADqsh0UJ
Is this feature supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
Yes.
Demo link
If you have a demo page, link to it here.
Debuggability
The inspector has a cookies view behind the chrome://flags/#enable-devtools-experiments flag. I intend to add the 'First-Party-Only' attribute to that table. Otherwise, cookies are cookies, and remain visible in the network tab's header view.
Compatibility Risk
Low.
'First-Party-Only' cookies are defense-in-depth against CSRF attacks, which gracefully degrade into "normal" cookies in browsers that don't support the new attribute. That is, when presented with:
Cookie: key=value; First-Party-Only
Chrome would treat the cookie as First-Party-Only, other browsers would treat it as though the attribute wasn't there at all.
Folks at Mozilla seem excited about the change (see the conversation starting hereish: https://groups.google.com/d/msg/mozilla.dev.platform/yEqC74IgnqQ/wIVQh4W2EAkJ, and https://twitter.com/mr_goodwin/status/572755941436878849). CCing Mark Goodwin and Jonas Sicking in case they have specific feedback on the proposal, and to ensure that I'm not misrepresenting their opinions.
Moreover, this seems to be a feature that developers want. For instance, GitHub is already experimenting with the header for their `user_session` cookie: https://twitter.com/joshpeek/status/572564724350525442
As a counterpoint, folks on the IETF HTTP WG list were cooler in response, but did invite prototypes: https://lists.w3.org/Archives/Public/ietf-http-wg/2014OctDec/0752.html
If this experiment fails completely, we'll remove the 'First-Party-Only' attribute support from //net, and downgrade all such cookies to "normal" cookies, just as they were treated in every other browser. I don't believe there's any risk of lock-in here.
There is a single open question regarding how we should treat requests from Service Workers, as it's unclear whether those should be considered 'first' or 'third' party. For the moment, we've settled on keeping the same behavior for "first-party-only" cookies that we have for "third-party cookie blocking" in Chrome; that is, Service Workers are generally first-party, even if they're responding to requests from a third-party. It's likely that we'll want to change this at some point in the future, but I don't believe that discussion should block shipping this feature.
OWP launch tracking bug? https://crbug.com/459154
Link to entry on the feature dashboard: https://www.chromestatus.com/features/4672634709082112
-mike
Happy to see this go in. Also seems low risk given the fallback behavior you describe.
How do you plan to track usage?
On Thu, Mar 19, 2015 at 11:35 AM, Chris Bentzel <cben...@chromium.org> wrote:Happy to see this go in. Also seems low risk given the fallback behavior you describe.
How do you plan to track usage?An excellent question. I hadn't considered it, but should absolutely add some metrics. Are there any counts in particular that you'd find interesting? Adding a `Cookie.Type` seems reasonable, with buckets for `HttpOnly`, `Secure`, and `First-Party-Only` (as it doesn't look like we have metrics for those properties either).
Not sure! But Cookie.Type sounds pretty reasonable. Main question I have is whether it would be recorded at retrieval time before a request is sent, or at setting time (whether via Set-Cookie or via document.cookie).
One other question: does this show up in content settings UI display?
I also assume this would automatically show up in document.cookie or in the list of headers for WebRequest extensions?
As someone who was more reserves during the Intent to Implement, I think Mike has addressed my concerns - and the compat story - quite well.
I think the spec itself needs some tweaking, which I'll provide feedback separately from this I2S.
My biggest concern for compat risk now is Service Workers. I'm not entirely sure that calling them First Party is correct, but I may be missing bits. Just that if we ship with them being FP, sites may come to rely on that, and then any change to that policy may break SWs by making cookies disappear.
I'd kinda prefer if we opted for a fail close model where we treat SWs as third party until we can fully rationalize why they're FP. It does mean that sites may have to choose between FP cookies and SWs (with SWs generally being far more compelling, thus likely to win), but I feel like that may be a more consistent approach. The only risk would seem if we decide SWs are FPs, it might introduce new attack vectors on sites that relied on FP cookies + SWs being third parties...
Beyond the challenges of SWs and spec tweaking, I think this is sensible!
As someone who was more reserves during the Intent to Implement, I think Mike has addressed my concerns - and the compat story - quite well.
I think the spec itself needs some tweaking, which I'll provide feedback separately from this I2S.
My biggest concern for compat risk now is Service Workers. I'm not entirely sure that calling them First Party is correct, but I may be missing bits. Just that if we ship with them being FP, sites may come to rely on that, and then any change to that policy may break SWs by making cookies disappear.
I'd kinda prefer if we opted for a fail close model where we treat SWs as third party until we can fully rationalize why they're FP.
Beyond the challenges of SWs and spec tweaking, I think this is sensible!
On Thu, Mar 19, 2015 at 12:33 PM, Ryan Sleevi <rsl...@chromium.org> wrote:My biggest concern for compat risk now is Service Workers. I'm not entirely sure that calling them First Party is correct, but I may be missing bits. Just that if we ship with them being FP, sites may come to rely on that, and then any change to that policy may break SWs by making cookies disappear.
I agree that this is a risk. FWIW, it's already a risk with our existing "Block third-party cookies" behavior, as these features key off the same property (FirstPartyForCookies). This is good, as it ensures that we're consistent, but it's not clear that we're consistently correct. :)
Could you clarify what the SW behavior is exactly? Do you mean that all requests from a SW include First-Party-Only cookies period or that the SW is treated as a first-party context whose URL is the script's URL, independent of whether the documents attached to it are top-level or iframe?
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
It looks like the only thing that needs to be sorted is whether Service Workers should be considered first-party or third-party.
Alex, do you have any opinions about this? Is it likely that Service Workers will gain capabilities in the future that would increase the scope of the problem?
Mike, do you expect any trouble if you make Service Workers third party to begin with, or is this mainly a question of consistency with third-party cookie blocking?
2. lcamtuf@ also noted that I need to explicitly consider prerendering, which is a neat bypass that I hadn't considered. We might want to block prerendering origins with first-party cookies.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
+net-dev and security-dev via BCC.
Contact emails
Spec
https://tools.ietf.org/html/draft-west-first-party-cookies
Summary'First-Party-Only' cookies allow servers to mitigate the risk of cross-site request forgery and related information leakage attacks by asserting that a particular cookie should only be sent in a "first-party" context.MotivationCookies are a form of ambient authority, attached by default to requests the user agent sends on a user's behalf to a particular host. Even when an attacker doesn't know the contents of a user's cookies, she can still execute commands on the user's behalf (and with the user's authority) by asking the user agent to send HTTP requests to unwary servers.
For instance, `evil.com` can include `bank.com/admin/transfer-all-money-to-mike` in an `<img>` tag. That request will include cookies, and if the target doesn't do a good job defending itself (via CSRF tokens, for instance), it could execute commands on your behalf.This proposal is a simple mitigation strategy that allows servers to declare certain cookies as "first-party", and that they should be attached to requests if and only if they occur in a first-party context. It doesn't solve the problem, but it is a reasonable defense in depth.Link to “Intent to Implement” blink-dev discussion
https://groups.google.com/a/chromium.org/d/msg/blink-dev/vT98riFhhT0/3Q-lADqsh0UJ
Is this feature supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
Yes.
Demo link
If you have a demo page, link to it here.
On Thu, Mar 19, 2015 at 2:08 AM Mike West <mk...@chromium.org> wrote:+net-dev and security-dev via BCC.
Contact emails
Spec
https://tools.ietf.org/html/draft-west-first-party-cookies
Summary'First-Party-Only' cookies allow servers to mitigate the risk of cross-site request forgery and related information leakage attacks by asserting that a particular cookie should only be sent in a "first-party" context.
Sorry to be a downer
but it seems like an attacker can bypass this defense fairly easily.
Let's pretend for the moment that this proposal never mentioned "cross-site request forgery"
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
Hrm. +jochen, cbentzel as there was apparently some miscommunication about who was approving this feature. I landed it on their go-ahead, but I'm happy to revert given your concerns.
Could you be a bit more specific about what you'd like to see addressed before shipping a first pass?
-mike
I thought it was going through the Blink intent process? I guess this particular case is a gray area since it doesn't really touch Blink code.Re what should be addressed: my impression is that there is not full consensus on some details of the spec, in particular relating to Service Workers, and corner cases relating to caveats around CSRF that you referenced/alluded to a few emails back. It sounded to me from that that it would be worth going into more details on those question in the spec, then coming back with answers that can be re-reviewed by experts in the subject area.