629325 - Cookie Attribute 'FirstPartyOnly' to prevent CSRF

Status: RESOLVED DUPLICATE of bug 795346

(Core :: Networking: Cookies, enhancement)

Description

[Olaf van der Spek]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13

Would it be possible to create a cookie attribute (let's call it FirstPartyOnly) that causes this cookie to only be send when the cookie domain matches the domain of the source of the request?

Suppose I've got a document at example.net that includes an image at b.net. If b.net's cookie is marked FirstPartyOnly, it shouldn't be send.

This attribute should probably be discussed with other major browser vendors.

Reproducible: Always

Comment 1

[Josh Triplett]

Confirming.  Seems like something Content Security Policies could solve.

Comment 2

[Mark Goodwin [:mgoodwin]]

This is something various people have been working: Mike West has been working on this document https://tools.ietf.org/html/draft-west-first-party-cookies-01 which, in turn, is similar to SameDomain cookies (that came close to implementing a while ago, see bug 795346).

People are starting to play with this; I think the time has come to make the idea a reality.

Comment 3

[Olaf van der Spek]

An explicit ThirdPartyToo attribute might be handy too, then a user setting could make FirstPartyOnly the default. Or it could forbid ThirdPartyToo cookies.

Comment 4

[Daniel Veditz [:dveditz]]

There may be some subtle differences in what you wanted and what folks are coalescing around as a proposed standard, but bug 795346 is where the action is. We're not going to implement two different things here so if there are differences you feel strongly about it would be better to influence the standard discussions, which in turn will be reflected in the bug 795346 implementation work.