- From: Matthew Kerwin <matthew@kerwin.net.au>
- Date: Tue, 8 Mar 2016 07:50:13 +1000
- To: Mike West <mkwst@google.com>
- Cc: Mark Nottingham <mnot@mnot.net>, ietf-http-wg@w3.org
- Message-ID: <CACweHNB0dOrBFxL6HMTx4o_8-qVFSrRD4C3pARHydStLyuV=gw@mail.gmail.com>
On 07/03/2016 7:34 PM, "Mike West" <mkwst@google.com> wrote: > > Also, just so it's clear: the `priority` attribute is only considered in the context of a single domain. We don't discard `example.com`'s "low" priority cookies in order to keep `google.com`'s "high" priority cookies. We only consider priority when determining which of a particular domain's to evict, once we know that we need to evict a few. It is quite limited in scope, and does not override any of the other mechanisms which might cause a cookie to be removed. In particular, `priority=high` does not change cookie expiration. I don't think it's fair at all to allude to it as a supercookie. > >> Regarding "Priority=Low": this allows/encourages people to add even more cookies, because "they're low priority, so they're less harmful." Telling people to add a bunch of fluffy cookies because 'they can be pruned if there are too many' doesn't seem like an improvement to me. Better advice would be: don't send so much cruft in cookies. > > > Given that `priority` only comes into play when cookies are evicted for exceeding a domain's limit, it doesn't appear that developers have needed much encouragement. :) > > In the particular set of cases I'm concerned with, the problem isn't a single developer or even a single application stuffinh a user's cookie jar with 150+ cookies, but a collusion of multiple applications on a single registrable domain. For each individual application, cookies might be totally legitimate and not at all crufty; that doesn't change the overall impact on the domain. > Doesn't that last paragraph counter the previous a bit? You don't discard example.com's low cookies to keep google.com's high ones, but you evict google.com/foo's low ones to keep google.com/bar's high ones. Even though the foo and bar teams are clearly independent of each other (else surely they could synergise their cookies a bit better in the first place.) How many domains host 150 completely independent apps that the user is actively logged into simultaneously? Even 75? Hell, even 35? And four-five cookies per app is pushing what I'd normally consider reasonable, we're definitely pushing into cruft territory here. Maybe I'm too conservative. If the wg/community decides that fixing the problem is intractible, then sure, patch the symptoms -- but please take care to do it in a way that doesn't make things worse. > [...] it doesn't appear that developers have needed much encouragement. What if the current state of things is just not making it worse? Cheers
Received on Monday, 7 March 2016 21:50:43 UTC