Wednesday, 3 February 2016

First-Party-Only Cookies - nice solution to mitigate CSRF

Just saw https://tools.ietf.org/html/draft-west-first-party-cookies-01 which proposes

   This document updates RFC6265 by defining a "First-Party-Only"
   attribute which allows servers to assert that a cookie ought to be
   sent only in a "first-party" context.  This assertion allows user
   agents to mitigate the risk of cross-site request forgery attacks,
   and other related paths to cross-origin information leakage.

It looks really good, and it seems that Chrome 50 is going to support it https://www.chromestatus.com/features/4672634709082112

The current solution seems to be inspired by the SameDomain Cookie attribute as described at http://people.mozilla.org/~mgoodwin/SameDomain/samedomain-latest.txt

I actually prefer the SameDomain name to First-Party-Cookies :)
Post a Comment