W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2019

Incremental improvements to cookies.

From: Mike West <mkwst@google.com>
Date: Wed, 8 May 2019 08:57:53 +0200
Message-ID: <CAKXHy=eEOkNUp0r=bucO3jwRRYsVmnw6_xqM5ZWj30OsrWgVSQ@mail.gmail.com>
To: HTTP Working Group <ietf-http-wg@w3.org>
Hey folks,

Thanks again for the conversations at the recent HTTP Workshop. I was happy
to hear some general support for Doing Something(tm) about cookies, and I
look forward to more conversations about the direction and details of
potential replacements. I owe y'all some responses to threads on HTTP State
Tokens, and I hope to get to those this week.

Still, I got concrete feedback from a few folks that it would be a better
use of our time to focus on improvements to cookies, as they exist today,
and aren't as amazing as we'd like them to be. I suspect you won't be
shocked to learn that I think we can walk and chew gum at the same time,
but I think you also won't be surprised that I'm very much in favor of
incremental improvements to cookies where we see opportunities.

https://mikewest.github.io/cookie-incrementalism/draft-west-cookie-incrementalism.html
("paginated"
at https://tools.ietf.org/html/draft-west-cookie-incrementalism) sketches
out two changes that I hope we can come to concensus on:

1.  Treat cookies as `SameSite=Lax` by default.
2.  Allow developers to opt-into the status quo behavior by explicitly
setting `SameSite=None`, but require the `Secure` attribute when doing so.

The document linked above spells those out in a bit more detail, and
attempts to justify them both through principle and practical impact.

WDYT?

-mike
Received on Wednesday, 8 May 2019 06:58:27 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 8 May 2019 06:58:29 UTC