https://github.com/httpwg/http-extensions/issues/1531
https://github.com/httpwg/http-extensions/pull/1589
https://github.com/httpwg/http-extensions/blob/main/draft-ietf-httpbis-rfc6265bis.md
Updates how control characters in cookie data are handled. Specifically, the tab character is now permitted, but all other control characters cause the entire cookie to be rejected (previously the \x00, \x0D, and \x0A characters in a cookie line caused it to be truncated instead of rejected entirely, which could have enabled malicious behavior in certain circumstances). This behavior is also in line with the latest drafts of RFC6265bis.
In the case where attacker controlled data is used to set a new cookie, having certain control characters truncate the cookie line could result in security-related cookie attributes being ignored. This behavior may also lead to cookie data corruption when control characters are introduced, which may cause unpredictable behavior on the application side (more so than cookies not being set, which is a case that applications should already handle). Having control characters result in the whole cookie being rejected helps mitigate these concerns and aligns Chrome with RFC6265bis. For the tab character, although it falls in the control character range (\x00 - \x1F, \x7F), it’s a printable character and allowed by other browsers. Treating it the same way that the space character is treated makes sense intuitively, eliminates a potential fingerprinting vector, and aligns Chrome with RFC6265bis.
N/A: this change is already specified in RFC 6265bis and is a relatively minor change to what's already implemented in Chrome (to improve spec compliance).
N/A
WebKit / Safari:
- All control characters except the tab character cause the cookie to be rejected if present in the name and cause the rest of the cookie line to be truncated if present in the value
Gecko / Firefox:
- 0x00 in the cookie value causes the rest of the value to be truncated (but subsequent attributes are preserved)
- 0x00 in the cookie name causes the rest of the name and the value to be truncated (but subsequent attributes are preserved)
- 0x0d and 0x0a cause the entire cookie line to be truncated (attributes ignored)
- 0x01 through 0x09 (the tab character), 0x0b through 0x0c, and 0x0e through 0x1f cause the cookie to be rejected if they are present in the name, but are allowed in the cookie value
- 0x7f is allowed in the cookie name and cookie value
The following issues exist reporting these differences:
Allowing tab characters in cookie names aligns Chrome with Safari but not Firefox, and allowing tabs in the cookie value aligns Chrome with both.
Regarding control characters (not including tab), what will change in Chrome is the handling of 0x00, 0x0d, and 0x0a characters. Today, Chrome truncates cookie lines when these characters are encountered, and this intent proposes having these characters result in cookie rejection instead. Rejecting cookie names containing these characters aligns Chrome with Safari but not Firefox, but rejecting cookie values containing these characters is inconsistent with existing Safari or Firefox behavior. However, these changes unify Chrome’s control character handling behavior, better align Chrome with RFC6265bis, and also help prevent a class of cookie attribute removal attacks (when malicious input is used to build a cookie line under certain conditions).
Gecko: N/A - these changes seem too small to justify this effort
WebKit: N/A - these changes seem too small to justify this effort
Web developers: N/A - these changes are relatively small and are in alignment with the RFC, other browsers, and/or existing behavior
DevTools debugging support will be implemented along with this change. Rejected response cookies are already shown in DevTools in the Network panel, with a status explaining why they were rejected. Another status will be added to annotate cookies rejected due to control characters.
In Progress - https://chromium-review.googlesource.com/c/chromium/src/+/3084521
UpdatedCookieControlCharacterChecks
False
https://bugs.chromium.org/p/chromium/issues/detail?id=1233602
M96
https://www.chromestatus.com/feature/5709264560586752
Requesting approval to ship?
Yes
This intent message was generated by Chrome Platform Status.
Contact emails
awi...@chromium.org, mike...@chromium.orgExplainer
https://github.com/httpwg/http-extensions/issues/1531
https://github.com/httpwg/http-extensions/pull/1589
Specification
https://github.com/httpwg/http-extensions/blob/main/draft-ietf-httpbis-rfc6265bis.md
Summary
Updates how control characters in cookie data are handled. Specifically, the tab character is now permitted, but all other control characters cause the entire cookie to be rejected (previously the \x00, \x0D, and \x0A characters in a cookie line caused it to be truncated instead of rejected entirely, which could have enabled malicious behavior in certain circumstances). This behavior is also in line with the latest drafts of RFC6265bis.
Blink component
Motivation
In the case where attacker controlled data is used to set a new cookie, having certain control characters truncate the cookie line could result in security-related cookie attributes being ignored. This behavior may also lead to cookie data corruption when control characters are introduced, which may cause unpredictable behavior on the application side (more so than cookies not being set, which is a case that applications should already handle). Having control characters result in the whole cookie being rejected helps mitigate these concerns and aligns Chrome with RFC6265bis. For the tab character, although it falls in the control character range (\x00 - \x1F, \x7F), it’s a printable character and allowed by other browsers. Treating it the same way that the space character is treated makes sense intuitively, eliminates a potential fingerprinting vector, and aligns Chrome with RFC6265bis.
Initial public proposal
TAG review
N/A: this change is already specified in RFC 6265bis and is a relatively minor change to what's already implemented in Chrome (to improve spec compliance).
TAG review status
Not applicableRisks
N/A
Interoperability and Compatibility
WebKit / Safari:
- All control characters except the tab character cause the cookie to be rejected if present in the name and cause the rest of the cookie line to be truncated if present in the value
Gecko / Firefox:
- 0x00 in the cookie value causes the rest of the value to be truncated (but subsequent attributes are preserved)
- 0x00 in the cookie name causes the rest of the name and the value to be truncated (but subsequent attributes are preserved)
- 0x0d and 0x0a cause the entire cookie line to be truncated (attributes ignored)
- 0x01 through 0x09 (the tab character), 0x0b through 0x0c, and 0x0e through 0x1f cause the cookie to be rejected if they are present in the name, but are allowed in the cookie value
- 0x7f is allowed in the cookie name and cookie value
The following issues exist reporting these differences:
Allowing tab characters in cookie names aligns Chrome with Safari but not Firefox, and allowing tabs in the cookie value aligns Chrome with both.
Regarding control characters (not including tab), what will change in Chrome is the handling of 0x00, 0x0d, and 0x0a characters. Today, Chrome truncates cookie lines when these characters are encountered, and this intent proposes having these characters result in cookie rejection instead. Rejecting cookie names containing these characters aligns Chrome with Safari but not Firefox, but rejecting cookie values containing these characters is inconsistent with existing Safari or Firefox behavior. However, these changes unify Chrome’s control character handling behavior, better align Chrome with RFC6265bis, and also help prevent a class of cookie attribute removal attacks (when malicious input is used to build a cookie line under certain conditions).
Gecko: N/A - these changes seem too small to justify this effort
WebKit: N/A - these changes seem too small to justify this effort
Web developers: N/A - these changes are relatively small and are in alignment with the RFC, other browsers, and/or existing behavior
Even if browsers are currently slightly incompatible, it seems this change will short term make them more incompatible. As Yoav said, it would be good to have an idea about how common this is, i.e. how often will cookies that are today truncated instead be rejected?
/Daniel
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/e2de8b96-8878-47fe-99e2-5497b96c9adcn%40chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/44805dc7-edd8-218d-dcbe-9c589509b633%40gmail.com.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/e2de8b96-8878-47fe-99e2-5497b96c9adcn%40chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
Hey Andrew,Given that the metrics are not a superset of what you're trying to deprecate, could you please add CountDeprecation metrics of the case you are intending to deprecate? That would ensure .e.g deprecation reports are sent to folks that happen to have such cookies.Even though you haven't really asked, from my perspective, it's also fine to add a console deprecation message at this point, in parallel to the metrics.
Cheers :)Yoav
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/e2de8b96-8878-47fe-99e2-5497b96c9adcn%40chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/44805dc7-edd8-218d-dcbe-9c589509b633%40gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/fcb32661-cecb-4f5a-a29d-9f3cdfbc5395n%40chromium.org.
Cheers :)Yoav
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/e2de8b96-8878-47fe-99e2-5497b96c9adcn%40chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/44805dc7-edd8-218d-dcbe-9c589509b633%40gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
Cheers :)Yoav
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/e2de8b96-8878-47fe-99e2-5497b96c9adcn%40chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/44805dc7-edd8-218d-dcbe-9c589509b633%40gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/fcb32661-cecb-4f5a-a29d-9f3cdfbc5395n%40chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/984b9bba-57f7-4145-9e1e-ee50601aae68n%40chromium.org.
Cheers :)Yoav
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/e2de8b96-8878-47fe-99e2-5497b96c9adcn%40chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/44805dc7-edd8-218d-dcbe-9c589509b633%40gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/fcb32661-cecb-4f5a-a29d-9f3cdfbc5395n%40chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
Hi Ian and Yoav,I believe the general guidance now for warning users of some change is to use DevTools Issues rather than console warnings. Would using Issues, instead of console warnings, be acceptable to you? (This would be in addition to the reports.)
Thanks,Steven
Cheers :)Yoav
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/e2de8b96-8878-47fe-99e2-5497b96c9adcn%40chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/44805dc7-edd8-218d-dcbe-9c589509b633%40gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/fcb32661-cecb-4f5a-a29d-9f3cdfbc5395n%40chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
The last thing happening in this thread was that we decided to wait for data. What is the current status of those usecounters, have they reached the user base now?
/Daniel
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAEa0%2BkWGVtOGPxUqQfk5u5Ds9BfiR5Ks%3DjkBp8NQ9AS2w-cL9g%40mail.gmail.com.
Thanks,Steven
Cheers :)Yoav
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/e2de8b96-8878-47fe-99e2-5497b96c9adcn%40chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/44805dc7-edd8-218d-dcbe-9c589509b633%40gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/fcb32661-cecb-4f5a-a29d-9f3cdfbc5395n%40chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/984b9bba-57f7-4145-9e1e-ee50601aae68n%40chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
Thanks,Steven
Cheers :)Yoav
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/e2de8b96-8878-47fe-99e2-5497b96c9adcn%40chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/44805dc7-edd8-218d-dcbe-9c589509b633%40gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/fcb32661-cecb-4f5a-a29d-9f3cdfbc5395n%40chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/984b9bba-57f7-4145-9e1e-ee50601aae68n%40chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
LGTM3
/Daniel
I can't point to any individual and https://www.chromium.org/developers/enterprise-changes points to a mailing list, so I guess that mailing list, or those frequenting it, is a start point.
/Daniel
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAEa0%2BkU7EN5yMxj3sNXdn_jWJdA4ni%3D3RLjxj17oVKrcxqxEXA%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/1bd79b49-6404-b315-1c61-acfe0ca4f24b%40gmail.com.
Thanks for the LGTMs Yoav, Mike, and Daniel!Yoav, we haven't implemented warnings of any kind (DevTools Issues or deprecation reports via the Reporting API) for this yet...
Thanks for the link, Daniel, and thank you to Mike as well for sending me a Chrome Enterprise PoC to reach out to.Yoav, do you think waiting two or three months between when we implement DevTools Issues / deprecation reports for this and when we do the removal would be sufficient?
My LGTM still stands for the remaining subset. I don't think you need a new thread for it. Good detecting to figure all of that out.
/Daniel
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/53c31488-63c8-fa27-4446-9536205fc674%40gmail.com.
Obrigado pela atençao de voces