Cookie mechanism question is much, chrome engineer puts forward to transform program

Chrome engineer Mike West published an article to offer to transform Cookie standard a few days ago, with government of aggrandizement HTTP state.

Cookie mechanism question is much, chrome engineer puts forward to transform program

Mike analysed the problem of a few respects that at present Cookie exists, include very difficult safety to use, wasteful user resource, and privacy issue, can dog with surprising means through it user the activity on the network.

About wasting user resource, mike explanation, the server can store with registering a domain name for a large number of Cookie, and a lot of Cookie can carry HTTP request send. For example Chrome allows to store for each domain name about 180 Cookie, be equivalent to arranging 724kB data. In numerous Cookie, the median that its request head size is 409 byte, but among them however 90% have 1589 byte, 95% occupied 2549 byte, 99% achieved 4601 byte even, the Cookie head that has about 0.1% additionally is very big, exceeded 10kB. Such abuse, efficiency is low.

Privacy respect, well-known Cookie can be used at identity test and verify, but it also can be used at the same time dog stealthily the pertinent information of the user.

And the difficulty that uses about safety, mike listed a few safety in developing use the problem that Cookie encounters:

Cookie is practicable to JavaScript acquiesce, this makes XSS OK get abiding evidence. Although HttpOnly attribute introduced 10 years ago, also have only at present probably the person of 8.31% uses Set-Cookie to have corresponding setting. Below acquiescent circumstance, cookie can be sent the source that is not safety, this meeting causes evidence by pilfer. Although Secure attribute can label secure Cookie source, but have only at present probably the person of 7.85 % used Set-Cookie to undertake installing. Cookie often is requesting dispatcher fine long hair be sent below unwitting circumstance. SameSite attribute can reduce CSRF risk, but have only at present probably the person of 0.06% used Set-Cookie to undertake installing.

Mike thinks, on one hand Cookie uses alleviate the attribute of safe problem is very poor, the safety that Cookie accords with us to decide the Web of pair of other types can visit data to be carried out compulsively far from is attrib border. They are in given can register region midstream to cross a source, their oversight port and plan, this means them to be able to be forged easily by network aggressor, and they can narrow arrive specific ways and means, these features make they hard inference, make incentive measure weaken the strategy is the same as a source of platform other part.

Mike gave out a new plan, he explains, every secure source that user representative can visit through be an user generates 256 only costs to control it to represent an user denotive HTTP condition, this Token can request a head to transfer a cause as structured HTTP:

Sec-HTTP-State: Token = * J6BRKagRIECKdpbDLxtlNzmjKo8MXTjyMomIwMFMonM *

This identifier is similar to a client to carry pilot Cookie more or less, but have a few remarkable distinction:

The client carries the cost that controls Token, is not a server. Token can be used at network layer only, and cannot use at JavaScript (the JavaScript that includes similar network, for example Service Workers) . The user acts as agent every source generates only 256 Token, and expose Token only give the cause that creates it. Won't be generated to be not secure source or deliver Token. Below acquiescent circumstance, token will request to be offerred together with same site. Token exists all the time, act as agent till server, user or user till replacement.

Be in some of foundation on, will offer a few reference point that can respond a head to spark through Sec-HTTP-State-Options HTTP to develop personnel, be like next option:

1, certain server needs to cross a site to visit its Token, other server may hope to narrow consign limits the request that be the same as a source, the server can assign either option:

Sec-HTTP-State-Options: . . . , delivery=cross-site, . . . 

Or:

Sec-HTTP-State-Options: . . . , delivery=same-origin, . . . 

2, the lifecycle that certain server hopes to restrict Token, can allow them to install TTL (it is an unit with the second) :

Sec-HTTP-State-Options: . . . , ttl=3600, . . . 

After time expires, the value of Token will be automatic replacement. At the same time the server hopes possibly also to spark clearly the replacement behavior of Token (for example, when cancel) , this can be through installing TTL 0 will come true:

Sec-HTTP-State-Options: . . . , ttl=0, . . . 

Below a kind of any circumstances, the state that can notify an user to the page that runs currently changes, so that carry out,clear operation. When producing replacement, the BroadcastChannel that user representative can send the message the source that is Http-state-reset to the name (and the replacement that the Service Worker that wakes up a source possibly uses a drive with ringing) :

Let ResetChannel = New BroadcastChannel('http-state-reset'));resetChannel.onmessage = E =>{/* Do Exciting Cleanup Here. */ };

3, to certain server, the client carries generated Token enough to maintain position, they can regard their as opaque conversational identifier, bind the state of the user carry to the server surely. Other server needs additional assurance, they can trust the provenance of Token, for this, the server can be generated exclusive close key, the conversational identifier that gets on its and server is relevant couplet, answer a head to deliver its the client to carry through HTTP:

Sec-HTTP-State-Options: . . . , key=*ZH0GxtBMWA. . .nJudhZ8dtz* , . . . 

Client end will store this are close key, use it to make the sign one's name of certain data set, reduce the risk that Token is captured thereby:

Sec-HTTP-State: Token=*J6BRKa. . .MonM* , sig=*(HMAC-SHA265(key, token+metadata))*

Mike also expresses at the same time, this plan is not a new thing that differs completely with Cookie, not be to want to replacing Cookie at present, although abandan Cookie,be should, but this plan just put forward instantly the compensatory mechanism that effect also can produce below a kind of circumstance that exists at the same time in Cookie.

未经允许不得转载:News » Cookie mechanism question is much, chrome engineer puts forward to transform program