Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RFC 6265bis: Add Lax-allowing-unsafe SameSite enforcement mode #1435

Merged
merged 10 commits into from
May 20, 2021
Merged
67 changes: 67 additions & 0 deletions draft-ietf-httpbis-rfc6265bis.md
Original file line number Diff line number Diff line change
Expand Up @@ -1333,6 +1333,46 @@ When possible, developers should use a session management mechanism such as
that described in {{top-level-navigations}} to mitigate the risk of CSRF more
completely.

#### "Lax-Allowing-Unsafe" enforcement {#lax-allowing-unsafe}

As discussed in {{unsafe-top-level-requests}}, compatibility concerns may
necessitate the use of a "Lax-allowing-unsafe" enforcement mode that allows
cookies to be sent with a cross-site HTTP request if and only if it is a
top-level request, regardless of request method. That is, the
"Lax-allowing-unsafe" enforcement mode waives the requirement for the HTTP
request's method to be "safe" in the `SameSite` enforcement step of the
retrieval algorithm in {{retrieval-algorithm}}. (All cookies, regardless of
`SameSite` enforcement mode, may be set for top-level navigations, regardless of
HTTP request method, as specified in {{storage-model}}.)

"Lax-allowing-unsafe" is not a distinct value of the `SameSite` attribute.
Rather, user agents MAY apply "Lax-allowing-unsafe" enforcement only to cookies
that did not explicitly specify a `SameSite` attribute (i.e., those whose
same-site-flag was set to "Default" by default). To limit the scope of this
compatibility mode, user agents which apply "Lax-allowing-unsafe" enforcement
SHOULD restrict the enforcement to cookies which were created recently.
Deployment experience has shown a cookie age of 2 minutes or less to be a
reasonable limit.

If the user agent uses "Lax-allowing-unsafe" enforcement, it MUST apply the
following modification to the retrieval algorithm defined in
{{retrieval-algorithm}}:

Replace the condition in the penultimate bullet point of step 1 of the retrieval
algorithm reading

* The HTTP request associated with the retrieval uses a "safe" method.

with

* At least one of the following is true:

1. The HTTP request associated with the retrieval uses a "safe" method.

2. The cookie's same-site-flag is "Default" and the amount of time
elapsed since the cookie's creation-time is at most a duration of the
user agent's choosing.

## Storage Model {#storage-model}

The user agent stores the following fields about each cookie: name, value,
Expand Down Expand Up @@ -2085,6 +2125,33 @@ reload navigation triggered through the user interface may replay the original
(potentially malicious) request. Thus, the reload request should be considered
cross-site, like the request that initially navigated to the page.

### Top-level requests with "unsafe" methods {#unsafe-top-level-requests}

The "Lax" enforcement mode described in {{strict-lax}} allows a cookie to be
sent with a cross-site HTTP request if and only if it is a top-level navigation
with a "safe" HTTP method. Implementation experience shows that this is
difficult to apply as the default behavior, as some sites may rely on cookies
not explicitly specifying a `SameSite` attribute being included on top-level
cross-site requests with "unsafe" HTTP methods (as was the case prior to the
introduction of the `SameSite` attribute).

For example, a login flow may involve a cross-site top-level `POST` request to
an endpoint which expects a cookie with login information. For such a cookie,
"Lax" enforcement is not appropriate, as it would cause the cookie to be
excluded due to the unsafe HTTP request method. On the other hand, "None"
enforcement would allow the cookie to be sent with all cross-site requests,
which may not be desirable due to the cookie's sensitive contents.

The "Lax-allowing-unsafe" enforcement mode described in {{lax-allowing-unsafe}}
retains some of the protections of "Lax" enforcement (as compared to "None")
while still allowing cookies to be sent cross-site with unsafe top-level
requests.

As a more permissive variant of "Lax" mode, "Lax-allowing-unsafe" mode
necessarily provides fewer protections against CSRF. Ultimately, the provision
of such an enforcement mode should be seen as a temporary, transitional measure
to ease adoption of "Lax" enforcement by default.

# IANA Considerations

## Cookie {#iana-cookie}
Expand Down