Re: Proposal: Cookie Priorities from Matthew Kerwin on 2016-03-07 (ietf-http-wg@w3.org from January to March 2016)

From: Matthew Kerwin <matthew@kerwin.net.au>
Date: Tue, 8 Mar 2016 07:50:13 +1000
To: Mike West <mkwst@google.com>
Cc: Mark Nottingham <mnot@mnot.net>, ietf-http-wg@w3.org
Message-ID: <CACweHNB0dOrBFxL6HMTx4o_8-qVFSrRD4C3pARHydStLyuV=gw@mail.gmail.com>

On 07/03/2016 7:34 PM, "Mike West" <mkwst@google.com> wrote:
>
> Also, just so it's clear: the `priority` attribute is only considered in
the context of a single domain. We don't discard `example.com`'s "low"
priority cookies in order to keep `google.com`'s "high" priority cookies.
We only consider priority when determining which of a particular domain's
to evict, once we know that we need to evict a few. It is quite limited in
scope, and does not override any of the other mechanisms which might cause
a cookie to be removed. In particular, `priority=high` does not change
cookie expiration. I don't think it's fair at all to allude to it as a
supercookie.
>
>> Regarding "Priority=Low": this allows/encourages people to add even more
cookies, because "they're low priority, so they're less harmful." Telling
people to add a bunch of fluffy cookies because 'they can be pruned if
there are too many' doesn't seem like an improvement to me. Better advice
would be: don't send so much cruft in cookies.
>
>
> Given that `priority` only comes into play when cookies are evicted for
exceeding a domain's limit, it doesn't appear that developers have needed
much encouragement. :)
>
> In the particular set of cases I'm concerned with, the problem isn't a
single developer or even a single application stuffinh a user's cookie jar
with 150+ cookies, but a collusion of multiple applications on a single
registrable domain. For each individual application, cookies might be
totally legitimate and not at all crufty; that doesn't change the overall
impact on the domain.
>

Doesn't that last paragraph counter the previous a bit? You don't discard
example.com's low cookies to keep google.com's high ones, but you evict
google.com/foo's low ones to keep google.com/bar's high ones. Even though
the foo and bar teams are clearly independent of each other (else surely
they could synergise their cookies a bit better in the first place.)

How many domains host 150 completely independent apps that the user is
actively logged into simultaneously? Even 75? Hell, even 35? And four-five
cookies per app is pushing what I'd normally consider reasonable, we're
definitely pushing into cruft territory here.

Maybe I'm too conservative.

If the wg/community decides that fixing the problem is intractible, then
sure, patch the symptoms -- but please take care to do it in a way that
doesn't make things worse.

> [...] it doesn't appear that developers have needed much encouragement.

What if the current state of things is just not making it worse?

Cheers

Received on Monday, 7 March 2016 21:50:43 UTC