On Fri, Apr 15, 2016 at 2:12 AM, Jason Duell <jdu...@mozilla.com> wrote:
> On Thu, Apr 14, 2016 at 10:54 PM, Chris Peterson <cpeter...@mozilla.com> > wrote: > >> >> Focusing on third-party session cookies is an interesting idea. >> "Sessionizing" non-HTTPS third-party cookies would encourage ad networks >> and CDNs to use HTTPS, allowing content sites to use HTTPS without mixed >> content problems. Much later, we could consider sessionizing even HTTPS >> third-party cookies. >> > > How about we sessionize only 3rd party HTTP cookies from sites that are on > our tracking protection list? That seems the most targeted way to > encourage ad networks to bump up to HTTPS with a minimal amount of > collateral damage to other users of 3rd party HTTP cookies. > (We could presumably keep a list of CDNs too and sessionize those as well) Jason > > We seem to have this already: network.cookie.thirdparty.sessionOnly > > Correct, that's what it does. > > Jason > > > >> >> On 4/14/16 1:54 AM, Chris Peterson wrote: >> >>> Summary: Treat cookies set over non-secure HTTP as session cookies >>> >>> Exactly one year ago today (!), Henri Sivonen proposed [1] treating >>> cookies without the `secure` flag as session cookies. >>> >>> PROS: >>> >>> * Security: login cookies set over non-secure HTTP can be sniffed and >>> replayed. Clearing those cookies at the end of the browser session would >>> force the user to log in again next time, reducing the window of >>> opportunity for an attacker to replay the login cookie. To avoid this, >>> login-requiring sites should use HTTPS for at least their login page >>> that set the login cookie. >>> >>> * Privacy: most ad networks still use non-secure HTTP. Content sites >>> that use these ad networks are prevented from deploying HTTPS themselves >>> because of HTTP/HTTPS mixed content breakage. Clearing user-tracking >>> cookies set over non-secure HTTP at the end of every browser session >>> would be a strong motivator for ad networks to upgrade to HTTPS, which >>> would unblock content sites' HTTPS rollouts. >>> >>> However, my testing of Henri's original proposal shows that too few >>> sites set the `secure` cookie flag for this to be practical. Even sites >>> that primarily use HTTPS, like google.com, omit the `secure` flag for >>> many cookies set over HTTPS. >>> >>> Instead, I propose treating all cookies set over non-secure HTTP as >>> session cookies, regardless of whether they have the `secure` flag. >>> Cookies set over HTTPS would be treated as "secure so far" and allowed >>> to persist beyond the current browser session. This approach could be >>> tightened so any "secure so far" cookies later sent over non-secure HTTP >>> could be downgraded to session cookies. Note that Firefox's session >>> restore will persist "session" cookies between browser restarts for the >>> tabs that had been open. (This is "eternal session" feature/bug 530594.) >>> >>> To test my proposal, I loaded the home pages of the Alexa Top 25 News >>> sites [2]. These 25 pages set over 1300 cookies! Fewer than 200 were set >>> over HTTPS and only 7 had the `secure` flag. About 900 were third-party >>> cookies. Treating non-secure cookies as session cookies means that over >>> 1100 cookies would be cleared at the end of the browser session! >>> >>> CONS: >>> >>> * Sites that allow users to configure preferences without logging into >>> an account would forget the users' preferences if they are not using >>> HTTPS. For example, companies that have regional sites would forget the >>> user's selected region at the end of the browser session. >>> >>> * Ad networks' opt-out cookies (for what they're worth) set over >>> non-secure HTTP would be forgotten at the end of the browser session. >>> >>> Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1160368 >>> >>> Link to standard: N/A >>> >>> Platform coverage: All platforms >>> >>> Estimated or target release: Firefox 49 >>> >>> Preference behind which this will be implemented: >>> network.cookie.lifetime.httpSessionOnly >>> >>> Do other browser engines implement this? No >>> >>> [1] >>> >>> https://groups.google.com/d/msg/mozilla.dev.platform/xaGffxAM-hs/aVgYuS3QA2MJ >>> >>> [2] http://www.alexa.com/topsites/category/Top/News >>> >> >> _______________________________________________ >> dev-platform mailing list >> dev-platform@lists.mozilla.org >> https://lists.mozilla.org/listinfo/dev-platform >> > > > > -- > > Jason > -- Jason _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
