I don't think it's necessary to say "do the right things with cookies" in the Security BCP. The Browser Apps BCP has a much deeper discussion of how different browser-based architectures work with cookies so that seems like a better place to actually have a real discussion about it.
Also +1 to what Daniel said about not continuing to add little things. Plus I think it's too late anyway, publication has already been requested for the Security BCP. Aaron On Sun, Nov 5, 2023 at 11:14 AM Daniel Fett <fett= 40danielfett...@dmarc.ietf.org> wrote: > I agree with Aaron! > > Also we should be very careful about any additions to the Security BCP at > this point. It is very easy to re-start the "one more thing" loop we've > been stuck in for the last years. There may be more useful things to say, > but we should put them on the list for a future second version of the BCP. > > -Daniel > Am 05.11.23 um 20:03 schrieb Aaron Parecki: > > I don't think the Security BCP should incorporate cookie best practices > directly in the document. If anything, it sounds like possibly a candidate > for inclusion in the Browser Apps BCP. > > There are already some mentions of these cookie properties mentioned in > the Browser Apps BCP, though only in reference to specific architectures, > not as a general best practice. For example: > > > https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-15.html#pattern-bff-cookie-security > > Aaron > > On Sun, Nov 5, 2023 at 10:48 AM Dick Hardt <dick.ha...@gmail.com> wrote: > >> Hey >> >> I was reviewing security on some sites I managed and checked to see if >> the recommendations were in the BCP. >> >> I don't see anything around cookies such as httpOnly, sameSite, secure. >> >> I saw some HTTP security header suggestions buried in 4.16 >> (X-Frame-Options, CSP), but not for Strict-Transport-Security, >> Permissions-Policy, or X-Content-Type-Options, and the CSP guidance is >> rather vague. >> >> I understand these are general web security best practices, and perhaps I >> missed it, but I think it would be useful to call out that best security >> practices around cookies and headers should also be followed in Section 2, >> and either have the best practices included, or direct the reader where to >> find them. >> >> /Dick >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > > _______________________________________________ > OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
