Network Working Group R. Pietrak Internet-Draft May 8, 2021 Intended status: Standards Track Expires: November 9, 2021 Cookie Extension Limiting Its Availability to User Agent Components draft-pietrak-cookie-scope-01 Abstract This memo addresses cookies security by introduction of an additional constraints, web application designer may impose on cookie availability for localhost applications components. Here proposed new cookie attribute attempts to provide that missing functionality while retaining all currently known use scenarios of cookies. However, this new attribute is designed to be more useful for banking applications, then for social media networks. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on November 9, 2021. Copyright Notice Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must Pietrak Expires November 9, 2021 [Page 1] Internet-Draft Cookies Local Scope May 2021 include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. This document may contain material from IETF Documents or IETF Contributions published or made publicly available before November 10, 2008. The person(s) controlling the copyright in some of this material may not have granted the IETF Trust the right to allow modifications of such material outside the IETF Standards Process. Without obtaining an adequate license from the person(s) controlling the copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative works of it may not be created outside the IETF Standards Process, except to format it for publication as an RFC or to translate it into languages other than English. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Cookie Radius attribute . . . . . . . . . . . . . . . . . . . 4 3.1. Radius attribute names . . . . . . . . . . . . . . . . . 4 3.2. Radius values . . . . . . . . . . . . . . . . . . . . . . 5 3.3. Radius interaction with other attributes . . . . . . . . 5 3.4. application altering Radius . . . . . . . . . . . . . . . 6 4. Examples of use scenarios . . . . . . . . . . . . . . . . . . 7 5. Security . . . . . . . . . . . . . . . . . . . . . . . . . . 7 5.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 7 5.2. Implementation . . . . . . . . . . . . . . . . . . . . . 7 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 8 1. Introduction As of current standard, HTTP state management mechanism RFC 6265 [refs.RFC6265], provide tools (in the form of cookie attributes) to limit the dissemination of any particular cookie. Those constraints are: o Cookie domain o Cookie expiration time o HttpOnly attribute o Secure attribute Pietrak Expires November 9, 2021 [Page 2] Internet-Draft Cookies Local Scope May 2021 But, current standard doesn't provide means to control the scope cookies are available to localhost components, like user agent software. These days search engines provide host of evidence that programmers continuously look for such means. Usually, the question is: "How do I limit my session cookie to just a single tab?". The questions comes from evident need to move away out off user session-ID (acquired after login/pass verification) visible in plain sight as part of URL referring to the access limited pages. Usually, plans to do such migrations are evaluated under strict requirement, that current functionality remains unaltered. Here the required functionality usually boils down to having such session-ID not shared among interface components which weren't involved in credentials verification. Meaning, that only the tab that provided credentials (login/pass) will be authorized to access those particular resources. In other words: since currently every window and every tab may have a different URL retrieved, it should also be possible for it to have different (from other tabs) session login credentials. This is considered a desired (or even required) feature. As of now, storing such login session credentials within a cookie (which is also widely used to hold session credentials) alters this functionality, and so is not acceptable for those migrations. The functionality is lost, because a cookie set in one tab of web browser will be immediately available to all other tabs. On the other hand, current functionality of sharing all cookies between all application components is desired by other web application programmers. This memo introduces cookie attribute, which will maintain current cookie behavior, while allowing for currently missing cookie scope limitations to be explicitly set by web application programmer. 2. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [refs.RFC2119] when, and only when, they appear in all capitals, as shown here. The following other terms will be used in this memo according to definitions below: user: Within a computer system the term "user" means any set of components holding the same security credentials. These credentials may originate (or be derived) from a physical person Pietrak Expires November 9, 2021 [Page 3] Internet-Draft Cookies Local Scope May 2021 giving them out to a login application, or they may originate from kernel maintained vault of credentials designated for system components when system (unattended) application actions are due. System services like ntp service, or MTA (mail transport agent) are examples of the later case. application: Any programmatic component of a computer system. app-window: Any input/output channel, that an application may have an access to independently from other such channels. An example of such channel is GUI window, which gets data (like graphics) from an application, while all other windows of that same application does not get disturbed by that data stream. Every HTTP data stream, from open to close is considered a separate window, with the exception below, where "tabs" are defined. window: A synonym to app-window. window-tab: Any part of a window, that holds and presents (or processes) one HTML document, including all objects that may be retrieved separately (separate HTTP connections), but are a part (functionally or aesthetically) of the main document. It's valid to say, that a tab is whatever is necessary to present (or process) whatever server returns in response for a single user click, including all the subcomponents, that HTML defines to be retrieved as a result of that click. tab: A synonym to window-tab viewport: A single window-tab currently selected (activated/focused/ visible) to/by the user. 3. Cookie Radius attribute 3.1. Radius attribute names Cookie Radius attribute will have the following names: SetRadius: when send from the server to web browser. RadiusSet: when returned from web browser to the server. This is to let server distinguish those web browsers that actually support cookie Radius limitations from those that blindly return cookies as provided. Pietrak Expires November 9, 2021 [Page 4] Internet-Draft Cookies Local Scope May 2021 3.2. Radius values Cookie Radius attribute will have only one of the following four values, and system behavior for each of them is the following: World: Cookie will be available to all user applications. Every web browsers launched by a particular user will see that cookie. When an application does not implement access to OS defined store for such cookies, this value MUST be implemented as synonym missing Radius attribute, which in turn MUST be implemented as synonym to SetRadius=Windows. Still, even if such store is defined by the OS, application MAY choose to implement World value of Radius attribute as synonym to SetRadius=Windows. Windows: Cookie will be available to all the windows of an application that received that cookie. This is the default value of cookie Radius attribute. This value represent today's implementations and current practices of cookie handling by web applications. Nothing should be changed in handling of a cookie with this Radius value as compared to todays implementation. Tabs: Cookie will be available to all the tabs of the same window. A window, the tab that received that cookie, belongs to. When an application does not implement tags of their windows, this value MUST be interpreted as synonym to SetRadius=Windows. Application MAY choose to implement SetRadius=Tabs request as a synonym to SetRadius=Windows request. Viewport: Cookie will not be available to any other system component, but the tab, that received it. When cookie Radius attribute is not defined by a cookie, it MUST be assumed to have a value of "Windows". When cookie Radius attribute is defined, but it's value is unrecognized, applications MUST assume it's value is "Viewport". 3.3. Radius interaction with other attributes HttpOnly cookie attribute is completely independent and implementations WILL NOT correlate values of HttpOnly attribute with any value of cookie Radius attribute. Cookie "domain" interferes with cookie Radius only when its value is "Viewport". In that case (either explicitly set or assumed as default), "domain" is set to domain of URL retrieved irrespectively of setting within the cookie. Consequently availability of such cookie is not only limited to a single viewport, but also to a "domain" the tab content originated from. Pietrak Expires November 9, 2021 [Page 5] Internet-Draft Cookies Local Scope May 2021 In other words, "Viewport" cookies never traverse domains. Implementation MAY choose to register origin of a document with SetRadius=Viewport and do a filtering-away of subcomponents from its fetch-list based on that value, instead of changing cookie domain and relay on standard cookie dispatch mechanism. Such implementation will unnecessarily limit document contents to single domain, while what is actually required is to prevent SetRadius=Viewport cookies from being exposed to other domains. Such unnecessary limitation is undesired, but allowed. It must be pointed out here, that the above "domain" restriction is in fact the core feature of here proposed new Radius cookie attribute. For a cookie with SetRadius=Viewport to be functionally equivalent to session token being placed inside document URL, it is required, that no remote party (like an embedded picture from a different "domain") other then the server of the master document, will ever get any piece of information that originally was part of the main document session security token in its URL. This is a security feature. Cookies with Radius set to Viewport MUST expire when their Viewport is closed. This SHOULD NOT influence application normal reaction to server provided "expires" or "max-age" attributes, only in that for cookies with SetRadius=Viewport, Viewport close event takes precedence over any of them. 3.4. application altering Radius User agent MAY let users further tighten the scope of a cookie below the radius declared in cookie Radius attribute, but it MUST NOT allow user to expand the radius. That is particularly important for "HttpOnly=false" cookies. "SetRadius=Viewport; HttpOnly=false" cookies are visible to the scripting engine, and can be modified. However implementation MUST NOT let scripts expand their Radius, too. The only action allowed for both application controls and scripting engine is the reduction of the Radius. After Radius is reduced, there MUST NOT be any local to application way to get back the initial radius. The only way to expand cookie Radius (back) is to refresh the Viewport from server and relay on server to ignore the currently reported new RadiusSet=value - which it may or may not do, depending on the application. Note, that in the above scenario, server may respond with a different document asking user for confirmation of the decision to reduce the Radius. Pietrak Expires November 9, 2021 [Page 6] Internet-Draft Cookies Local Scope May 2021 4. Examples of use scenarios The following examples are discussed here to further define the intended use of the cookie Radius attribute: o popup windows WILL NOT have access to cookies with Viewport value of their Radius. One exception to that rule is a popup window that is a result of user click on anchor document tag. No matter if that tag has or has not it's target diverted from "_self", any Viewport that resulted from such click WILL get all the Viewport cookies original document had. o window.open(, ) request from a document with cookie having SetRadius=Viewport will only be send to the server, if and only if is equal to "_self" and is equal to the domain of current document (and thus to that cookie). This constraint in actions (as compared to popup windows above) is here to limit the influence of scripting in background - limit the actions without user explicit consent. o Parts of document created with document.write() action, will not be interpreted any differently. This is because for all documents with SetRadius=Viewport cookies, the script attempting that surely came from the same domain/origin as the modified document itself. Actual implementations of SetRadius=Viewport cookies MAY use a dedicated part of sessionStore application repository to satisfy the requirement to flush those cookies at session end and to block other Viewports from accessing it. 5. Security 5.1. General The actual impact of the proposed cookie attribute can only be truly evaluated after its wide implementation and use in other then here presented scenarios. The potential to limit the leakage of security data (login credentials) between application components may help improve internet security. 5.2. Implementation Functionally, cookies with SetRadius=Viewport can be quite closely implemented with document.cookie and window.sessionStore like: o on successful login, server responses with security tokens on a SetRadius=Viewport cookie. Pietrak Expires November 9, 2021 [Page 7] Internet-Draft Cookies Local Scope May 2021 o Content of that cookie is put into the sessionStore. o every anchor would get an onclick() event hook, which will create session cookie, which in turn will get dispatched to server as all other relevant cookies. o once response page is loaded, relevant (but different) function will delete the cookie from the application. Only in such implementation the cookie created right before anchor triggering a GET request is available to all other windows and tags of the application, and not only it leaks security information, but also can influence other documents in other windows and tabs by substituting their security tokens of the same name, with value not belonging to them. Such implementation cannot be accepted as a workaround for missing Radius cookie attribute. 6. References [refs.RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", RFC 2119, March 1997. [refs.RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265, April 2011. Author's Address Rafal Pietrak Email: cookie.rp@ztk-rp.eu Pietrak Expires November 9, 2021 [Page 8]