- From: Mike West <mkwst@google.com>
- Date: Mon, 7 Mar 2016 10:25:46 +0100
- To: Daniel Stenberg <daniel@haxx.se>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>, Samuel Huang <huangs@google.com>, Mark Nottingham <mnot@mnot.net>
- Message-ID: <CAKXHy=fZkRnThojTU8V9s-Vyps8jG3xOTEF-yKrDs9cqh546mg@mail.gmail.com>
Thanks for the conversation, folks. A few replies inline: On Mon, Mar 7, 2016 at 9:12 AM, Daniel Stenberg <daniel@haxx.se> wrote: > On Thu, 3 Mar 2016, Mike West wrote: > > https://tools.ietf.org/html/draft-west-cookie-priority-00. Apologies for >> the years of delay. :/ >> > > Count me as another skeptic. > > Since implementing support different cookie priority levels requires > changing the server ends, wouldn't it be better to ask server admins to > instead stop polluting the same domain with excessive amounts of cookies? I > presume the primary cookie limit you're talking about number of cookies per > domain. Alternatively, advocate for a higher limit (even though RFC6265 > only suggests certain limits, browsers are free to user higher)? > Chrome and Firefox both set limit at ~150 cookies per domain. Chrome has a different eviction mechanism than Firefox, allowing a domain to flex up to 180 cookies before purging it back down to 150. My (vague) understanding is that we arrived at that mechanism for performance reasons: purging just one cookie lead to some level of churn for users who hovered around the limit. Raising the limit is certainly possible, but also has performance impacts and storage limitations. We'd need to measure those carefully before bumping the limit, as determining which cookies to send ends up being on the critical path for every request. > What happens to cookies that are actually called 'Priority' ? It seems > like a very standard name for a cookie and to me it seems like there's room > for confusion for services that already use Priority set to Low/High etc. I > don't see any mentioning of how to handle this. > Like cookies named "HttpOnly" or "MaxAge", this is handled by step 1 of https://tools.ietf.org/html/rfc6265#section-5.2, which splits the cookie string on the first ';' into the name/value pair, and the set of attributes. > This mechanism adds more complexity to an already complicated and messed > up concept. > It also solves a real problem that really exists, at least in the complex ecosystems of corporate intranets. Both Mark and Martin seem to have confirmed that the anecdata I provide isn't limited to Google. I'm also a bit sad to hear that Chrome+Google already implement this, as it > feels like a certain degree of the old web war tactics all over again. It > won't really matter what we say in this work group, as Google services will > work less good without this feature and Chrome already works like this, so > in order to keep users happy, user agents are strong-armed into following... On this point, I can only apologize. We didn't follow through on our commitment to discuss shipping this feature openly, we didn't report our experimental results, and we didn't get buy-in from other browser vendors. You're correct that this is bad behavior. If it turns out that Chrome is the only vendor that's going to implement this, then I'll do my best to get it removed. All that said, I think the Chrome team has gotten significantly better at this since 2013. We have a clear launch process <http://www.chromium.org/blink#launch-process> for web-facing features, and if we were launching cookie priorities _today_, the conversation would have gone differently. On Mon, Mar 7, 2016 at 4:29 AM, Matthew Kerwin <matthew@kerwin.net.au> wrote: > Regarding "Priority=High": Currently cookies are often used on the > critical path, and these existing cookies don't have a "Priority" > attribute. We can't define a new spec that retroactively mandates that > implementers have to add the attribute, so I imagine we would probably want > to define it so that "no Priority" is as high as "High Priority." (Unless > we're proposing to define a new supe..uh..'more important' cookie.) So all > the existing dead wood remains, and the path of least resistance for > implementers who want to comply with the spec is: don't do anything. Thus > it's not a valuable addition. > The spec defines a missing `priority` attribute as setting "medium" priority, which allows an origin to just set priority on those cookies which are particularly important, or particularly discardable. For instance. Google sets `priority=high` on authentication cookies, and `priority=low` on cookies which only contain information that could be derived (at expense) from the user session data. Also, just so it's clear: the `priority` attribute is only considered in the context of a single domain. We don't discard `example.com`'s "low" priority cookies in order to keep `google.com`'s "high" priority cookies. We only consider priority when determining which of a particular domain's to evict, once we know that we need to evict a few. It is quite limited in scope, and does not override any of the other mechanisms which might cause a cookie to be removed. In particular, `priority=high` does not change cookie expiration. I don't think it's fair at all to allude to it as a supercookie. Regarding "Priority=Low": this allows/encourages people to add even more > cookies, because "they're low priority, so they're less harmful." Telling > people to add a bunch of fluffy cookies because 'they can be pruned if > there are too many' doesn't seem like an improvement to me. Better advice > would be: don't send so much cruft in cookies. > Given that `priority` only comes into play when cookies are evicted for exceeding a domain's limit, it doesn't appear that developers have needed much encouragement. :) In the particular set of cases I'm concerned with, the problem isn't a single developer or even a single application stuffinh a user's cookie jar with 150+ cookies, but a collusion of multiple applications on a single registrable domain. For each individual application, cookies might be totally legitimate and not at all crufty; that doesn't change the overall impact on the domain. On Fri, Mar 4, 2016 at 1:53 AM, Martin Thomson <martin.thomson@gmail.com> wrote: > I have a small suggestion: > > if (request.url.scheme == 'http') { > cookie.priority = 'floor'; > } > Note that the eviction changes in https://tools.ietf.org/html/draft-ietf-httpbis-cookie-alone-00 would still be effective; I'm working through how those changes impact Google at the moment, and hope to have a more concrete proposal of what an eviction algorithm that takes care of both of these proposals might look like. The initial pass that we planned to start shipping in Chrome 50 caused some disruption that I'm still working through. Related story, I believe that some of those people run servers that > forcibly evict all cookies other than those on a small whitelist to > prevent this sort of craziness. That turns out to have beneficial > properties. Indeed, Google has put a ton of effort into understanding all the cookies that are set by Google services, and my understanding is that we do actively cull cookies coming into/set by our frontend servers. The intranet (`*.corp.google.com`) is less centralized, and less controllable; I'm told that the sign-out rates we see internally are orders of magnitude higher than we see externally, for this reason. -mike
Received on Monday, 7 March 2016 09:26:49 UTC