From 8074ad61a7d99f485cbcd5babee3bbd168674e75 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Leonard=20Janis=20Robert=20K=C3=B6nig?= Date: Tue, 23 Apr 2024 11:02:12 +0200 Subject: [PATCH] Implement #1373: Document Relaxed `__Secure-` Cookie Prefix (#1374) --- ..._Request_Forgery_Prevention_Cheat_Sheet.md | 23 ++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.md b/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.md index 969c9fcad9..85c5944fc3 100644 --- a/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.md +++ b/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.md @@ -292,12 +292,29 @@ Usually, a minor percentage of traffic does fall under above categories ([1-2%]( #### Using Cookies with Host Prefixes to Identify Origins -Another solution for this problem is using `Cookie Prefixes` for cookies with CSRF tokens. If cookies have `__Host-` prefixes e.g. `Set-Cookie: __Host-token=RANDOM; path=/; Secure` then each cookie: - -- Cannot be (over)written from another subdomain. +While the `SameSite` and `Secure` attributes mentioned earlier restrict the sending of already set cookies +and `HttpOnly` restricts the reading of a set cookie, +an attacker may still try to inject or overwrite otherwise secured cookies +(cf. [session fixation attacks](http://www.acrossecurity.com/papers/session_fixation.pdf)). +Using `Cookie Prefixes` for cookies with CSRF tokens extends security protections against this kind of attacks as well. +If cookies have `__Host-` prefixes e.g. `Set-Cookie: __Host-token=RANDOM; path=/; Secure` then each cookie: + +- Cannot be (over)written from another subdomain and +- cannot have a `Domain` attribute. - Must have the path of `/`. - Must be marked as Secure (i.e, cannot be sent over unencrypted HTTP). +In addition to the `__Host-` prefix, the weaker `__Secure-` prefix is also supported by browser vendors. +It relaxes the restrictions on domain overwrites, i.e., they + +- Can have `Domain` attributes and +- can be overwritten by subdomains. +- Can have a `Path` other than `/`. + +This relaxed variant can be used as an alternative to the "domain locked" `__Host-` prefix, +if authenticated users would need to visit different (sub-)domains. +In all other cases, using the `__Host-` prefix in addition to the `SameSite` attribute is recommended. + As of July 2020 cookie prefixes [are supported by all major browsers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#Browser_compatibility). See the [Mozilla Developer Network](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#Directives) and [IETF Draft](https://tools.ietf.org/html/draft-west-cookie-prefixes-05) for further information about cookie prefixes.