HTTP Glossaries

August 13, 2022

A lookup table for HTTP security-related glossaries, such as Site, Origin, Cookie etc.

For example, before we can understand what cross-site means we must understand what Site means, and If we want to know what CORS is for we need to understand what Origin is first.

Site #

A site is determined by the registrable domain portion of the domain name. The registrable domain consists of an entry in the Public Suffix List plus the portion of the domain name just before it. This means that, for example, theguardian.co.uk, sussex.ac.uk, and bookshop.org are all registrable domains.

In some contexts, the scheme is also considered when differentiating sites. This would make http://vpl.ca and https://vpl.ca different sites. Including the scheme prevents an insecure (HTTP) site from being treated as the same site as a secure (HTTPS) site. A definition that considers the scheme is sometimes called a schemeful same-site. This stricter definition is applied in the rules for handling SameSite cookies.

Examples

These are the same site because the registrable domain of mozilla.org is the same:

• https://developer.mozilla.org/en-US/docs/
• https://support.mozilla.org/en-US/

These are the same site because the port is not relevant:

• https://example.com:8080
• https://example.com

These are not the same site because the registrable domain of the two URLs differs:

• https://developer.mozilla.org/en-US/docs/
• https://example.com

These are the same site, or different sites if the scheme is considered:

• http://example.com
• https://example.com

Origin #

Web content’s origin is defined by the scheme (protocol), hostname (domain), and port of the URL used to access it. Two objects have the same origin only when the scheme, hostname, and port all match.

Some operations are restricted to same-origin content, and this restriction can be lifted using CORS.

Example

These are same origin because they have the same scheme (http) and hostname (example.com), and the different file path does not matter:

• http://example.com/app1/index.html
• http://example.com/app2/index.html

These are same origin because a server delivers HTTP content through port 80 by default:

• http://example.com:80
• http://example.com

These are not same origin because they use different schemes:

• http://example.com/app1
• https://example.com/app2

These are not same origin because they use different hostnames:

• http://example.com
• http://www.example.com
• http://myapp.example.com

These are not same origin because they use different ports:

• http://example.com
• http://example.com:8080

CORS #

CORS (Cross-Origin Resource Sharing) is a system, consisting of transmitting HTTP headers, that determines whether browsers block frontend JavaScript code from accessing responses for cross-origin requests.

The same-origin security policy forbids cross-origin access to resources. But CORS gives web servers the ability to say they want to opt into allowing cross-origin access to their resources.

CORS allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources. CORS also relies on a mechanism by which browsers make a preflight request to the server hosting the cross-origin resource, in order to check that the server will permit the actual request. In that preflight, the browser sends headers that indicate the HTTP method and headers that will be used in the actual request.

• Simple requests – https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests
• Prefighted requests – https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#preflighted_requests
• The HTTP request headers – https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#the_http_request_headers
• The HTTP response headers – https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#the_http_response_headers

Using HTTP cookies #

An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to a user’s web browser. The browser may store the cookie and send it back to the same server with later requests. Typically, an HTTP cookie is used to tell if two requests come from the same browser—keeping a user logged in, for example. It remembers stateful information for the stateless HTTP protocol.

Cookies are mainly used for three purposes:

• Session management: Logins, shopping carts, game scores, or anything else the server should remember
• Personalization: User preferences, themes, and other settings
• Tracking: Recording and analyzing user behavior

Cookie Attritues

• Secure attribute
• HttpOnly attribute
• Domain attribute
• Path attribute
• SameSite attribute
• Cookie prefixes

https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies

Types of attracks #

• Cross-site scripting(XSS) – https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
• Cross-site request forgery(CSRF) – https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
• Session Management – https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html

Reference #

• https://developer.mozilla.org/en-US/docs/Glossary/Site
• https://developer.mozilla.org/en-US/docs/Glossary/Origin
• https://developer.mozilla.org/en-US/docs/Glossary/CORS
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
• https://datatracker.ietf.org/doc/html/rfc2109
• https://datatracker.ietf.org/doc/html/rfc2965
• https://datatracker.ietf.org/doc/html/rfc6265
• https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-same-site-00
• https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-prefixes-00
• https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes
• https://arcagarwal.medium.com/same-site-changes-in-chrome-1c86973454f9