|
|
Log in / Subscribe / Register

Disable HTTPS upgrade?

Disable HTTPS upgrade?

Posted Mar 5, 2025 10:55 UTC (Wed) by excors (subscriber, #95769)
In reply to: Disable HTTPS upgrade? by intelfx
Parent article: Firefox 136.0 released

RFC9110 says:

> Resources made available via the "https" scheme have no shared identity with the "http" scheme. They are distinct origins with separate namespaces.

but then goes on to mention cookies as an example of features that undermine the strict distinction. Specifically RFC6265 says:

> servers SHOULD NOT both run mutually distrusting services on different ports of the same host and use cookies to store security-sensitive information.

because cookies are shared by all schemes and ports on the same host. So even if you stick to the hypothetical world described by RFCs and ignore practical concerns, you can't treat HTTP and HTTPS services on the same host as completely independent.

to post comments

Disable HTTPS upgrade?

Posted Mar 5, 2025 11:02 UTC (Wed) by intelfx (subscriber, #130118) [Link]

> RFC9110 says:
>
>> Resources made available via the "https" scheme have no shared identity with the "http" scheme. They are distinct origins with separate namespaces.
>
> but then goes on to mention cookies as an example of features that undermine the strict distinction. Specifically RFC6265 says:
>
>> servers SHOULD NOT both run mutually distrusting services on different ports of the same host and use cookies to store security-sensitive information.

Sure, that's a restriction placed on the previous clause. Yet, "the exception proves the rule in cases not excepted".

So it is, in fact, true that besides this mutual distrust caveat, RFCs declare http:// and https:// resources as separate namespaces. I take it as a pretty clear-cut confirmation that the standards agree with my interpretation.

Disable HTTPS upgrade?

Posted Mar 5, 2025 14:07 UTC (Wed) by ballombe (subscriber, #9523) [Link] (1 responses)

> because cookies are shared by all schemes and ports on the same host.

... which independently of https is a major design bug since webservers on non-standard ports exist.

Disable HTTPS upgrade?

Posted Mar 5, 2025 15:19 UTC (Wed) by excors (subscriber, #95769) [Link]

Yeah, modern web security is based on "origin" (basically a tuple of scheme, port and host) which is generally sensible, but cookies were invented long before that and can't be fixed because of backward compatibility requirements. If you want to properly isolate sites then they can't even be on different subdomains of the same domain - they must be completely different domains, up to a suffix listed in the Public Suffix List (.com, .co.uk, .github.io, etc). And definitely don't try to isolate them just by port. It's a bad design, but it is what it is.

(Or as RFC6265 puts it: "For historical reasons, cookies contain a number of security and privacy infelicities.")


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds