On Thu, Apr 14, 2016 at 10:54 PM, Chris Peterson <cpeter...@mozilla.com> wrote:
> > Focusing on third-party session cookies is an interesting idea. > "Sessionizing" non-HTTPS third-party cookies would encourage ad networks > and CDNs to use HTTPS, allowing content sites to use HTTPS without mixed > content problems. Much later, we could consider sessionizing even HTTPS > third-party cookies. > How about we sessionize only 3rd party HTTP cookies from sites that are on our tracking protection list? That seems the most targeted way to encourage ad networks to bump up to HTTPS with a minimal amount of collateral damage to other users of 3rd party HTTP cookies. > We seem to have this already: network.cookie.thirdparty.sessionOnly Correct, that's what it does. Jason > > On 4/14/16 1:54 AM, Chris Peterson wrote: > >> Summary: Treat cookies set over non-secure HTTP as session cookies >> >> Exactly one year ago today (!), Henri Sivonen proposed [1] treating >> cookies without the `secure` flag as session cookies. >> >> PROS: >> >> * Security: login cookies set over non-secure HTTP can be sniffed and >> replayed. Clearing those cookies at the end of the browser session would >> force the user to log in again next time, reducing the window of >> opportunity for an attacker to replay the login cookie. To avoid this, >> login-requiring sites should use HTTPS for at least their login page >> that set the login cookie. >> >> * Privacy: most ad networks still use non-secure HTTP. Content sites >> that use these ad networks are prevented from deploying HTTPS themselves >> because of HTTP/HTTPS mixed content breakage. Clearing user-tracking >> cookies set over non-secure HTTP at the end of every browser session >> would be a strong motivator for ad networks to upgrade to HTTPS, which >> would unblock content sites' HTTPS rollouts. >> >> However, my testing of Henri's original proposal shows that too few >> sites set the `secure` cookie flag for this to be practical. Even sites >> that primarily use HTTPS, like google.com, omit the `secure` flag for >> many cookies set over HTTPS. >> >> Instead, I propose treating all cookies set over non-secure HTTP as >> session cookies, regardless of whether they have the `secure` flag. >> Cookies set over HTTPS would be treated as "secure so far" and allowed >> to persist beyond the current browser session. This approach could be >> tightened so any "secure so far" cookies later sent over non-secure HTTP >> could be downgraded to session cookies. Note that Firefox's session >> restore will persist "session" cookies between browser restarts for the >> tabs that had been open. (This is "eternal session" feature/bug 530594.) >> >> To test my proposal, I loaded the home pages of the Alexa Top 25 News >> sites [2]. These 25 pages set over 1300 cookies! Fewer than 200 were set >> over HTTPS and only 7 had the `secure` flag. About 900 were third-party >> cookies. Treating non-secure cookies as session cookies means that over >> 1100 cookies would be cleared at the end of the browser session! >> >> CONS: >> >> * Sites that allow users to configure preferences without logging into >> an account would forget the users' preferences if they are not using >> HTTPS. For example, companies that have regional sites would forget the >> user's selected region at the end of the browser session. >> >> * Ad networks' opt-out cookies (for what they're worth) set over >> non-secure HTTP would be forgotten at the end of the browser session. >> >> Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1160368 >> >> Link to standard: N/A >> >> Platform coverage: All platforms >> >> Estimated or target release: Firefox 49 >> >> Preference behind which this will be implemented: >> network.cookie.lifetime.httpSessionOnly >> >> Do other browser engines implement this? No >> >> [1] >> >> https://groups.google.com/d/msg/mozilla.dev.platform/xaGffxAM-hs/aVgYuS3QA2MJ >> >> [2] http://www.alexa.com/topsites/category/Top/News >> > > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > -- Jason _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
