HTTP Glossaries
August 13, 2022
A lookup table for HTTP security-related glossaries, such as Site
, Origin
, Cookie
etc.
For example, before we can understand what cross-site
means we must understand what Site
means, and If we want to know what CORS
is for we need to understand what Origin
is first.
Site #
A site is determined by the registrable domain portion of the domain name. The registrable domain consists of an entry in the Public Suffix List plus the portion of the domain name just before it. This means that, for example, theguardian.co.uk
, sussex.ac.uk
, and bookshop.org
are all registrable domains.
In some contexts, the scheme is also considered when differentiating sites. This would make http://vpl.ca and https://vpl.ca different sites. Including the scheme prevents an insecure (HTTP) site from being treated as the same site as a secure (HTTPS) site. A definition that considers the scheme is sometimes called a schemeful same-site. This stricter definition is applied in the rules for handling SameSite cookies.
Examples
These are the same site because the registrable domain of mozilla.org is the same:
These are the same site because the port is not relevant:
These are not the same site because the registrable domain of the two URLs differs:
These are the same site, or different sites if the scheme is considered:
Origin #
Web content’s origin
is defined by the scheme (protocol)
, hostname (domain)
, and port
of the URL used to access it. Two objects have the same origin only when the scheme, hostname, and port all match.
Some operations are restricted to same-origin content, and this restriction can be lifted using CORS.
Example
These are same origin because they have the same scheme (http) and hostname (example.com), and the different file path does not matter:
These are same origin because a server delivers HTTP content through port 80 by default:
These are not same origin because they use different schemes:
These are not same origin because they use different hostnames:
These are not same origin because they use different ports:
CORS #
CORS (Cross-Origin Resource Sharing) is a system, consisting of transmitting HTTP headers, that determines whether browsers block frontend JavaScript code from accessing responses for cross-origin requests.
The same-origin security policy forbids cross-origin access to resources. But CORS gives web servers the ability to say they want to opt into allowing cross-origin access to their resources.
CORS allows a server to indicate any origins
(domain, scheme, or port) other than its own from which a browser should permit loading resources. CORS also relies on a mechanism by which browsers make a preflight
request to the server hosting the cross-origin resource, in order to check that the server will permit the actual request. In that preflight, the browser sends headers that indicate the HTTP method and headers that will be used in the actual request.
- Simple requests – https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests
- Prefighted requests – https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#preflighted_requests
- The HTTP request headers – https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#the_http_request_headers
- The HTTP response headers – https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#the_http_response_headers
Using HTTP cookies #
An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to a user’s web browser. The browser may store the cookie and send it back to the same server with later requests. Typically, an HTTP cookie is used to tell if two requests come from the same browser—keeping a user logged in, for example. It remembers stateful information for the stateless HTTP protocol.
Cookies are mainly used for three purposes:
- Session management: Logins, shopping carts, game scores, or anything else the server should remember
- Personalization: User preferences, themes, and other settings
- Tracking: Recording and analyzing user behavior
Cookie Attritues
- Secure attribute
- HttpOnly attribute
- Domain attribute
- Path attribute
- SameSite attribute
- Cookie prefixes
https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies
Types of attracks #
- Cross-site scripting(XSS) – https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
- Cross-site request forgery(CSRF) – https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
- Session Management – https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html
Reference #
- https://developer.mozilla.org/en-US/docs/Glossary/Site
- https://developer.mozilla.org/en-US/docs/Glossary/Origin
- https://developer.mozilla.org/en-US/docs/Glossary/CORS
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
- https://datatracker.ietf.org/doc/html/rfc2109
- https://datatracker.ietf.org/doc/html/rfc2965
- https://datatracker.ietf.org/doc/html/rfc6265
- https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-same-site-00
- https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-prefixes-00
- https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes
- https://arcagarwal.medium.com/same-site-changes-in-chrome-1c86973454f9