Cookie-related status updates. from Mike West on 2020-05-26 (ietf-http-wg@w3.org from April to June 2020)

From: Mike West <mkwst@google.com>
Date: Tue, 26 May 2020 16:19:08 +0200
To: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAKXHy=fo1dZ_ZZybScPcmxHJQTF0krqvEDN64HbiEWwn+PZHSA@mail.gmail.com>

Hey folks!

Following on from the HTTPWG meeting for which I did not prepare slides,
here are some cookie-related status updates to flesh out the minutes:

1. RFC6265bis continues to plod forward. We're in the "fixing niggly
issues" stage of things, and WPT has been quite helpful at giving us
insight into the way different user agents treat cookies today (see
https://github.com/httpwg/http-extensions/issues/1136). Some tests have
been difficult to replicate in WPT (`Domain` attribute tests in
particular), but I'm hopeful that we can produce tests that match our
expectations. The majority of the outstanding issues that I'd like to fix
are around the `SameSite` attribute, which needs some work (
https://github.com/httpwg/http-extensions/issues?q=is%3Aopen+label%3A6265bis+label%3Asamesite).
Large outstanding issues like UTF-8 support seem (for example
https://github.com/httpwg/http-extensions/issues/1073), but I am quite
unlikely to spend time on them. If anyone is interested in poking at that
particular bear, I would appreciate help!

2. Browsers continue to experiment with cookies' default behaviors:

2a. Chrome intends to continue working towards `SameSite=Lax` by
default. We rolled this out at ~50% in stable, and rolled it back in early
April due to some unexpected breakage at a particularly bad time (
https://blog.chromium.org/2020/04/temporarily-rolling-back-samesite.html).
Our rollout is now holding at ~50% of non-release channels (canary, dev,
beta), and we intend to try stable again, likely over the summer.

2b. Safari has begun blocking third-party cookies entirely (
https://webkit.org/blog/10218/full-third-party-cookie-blocking-and-more/),
gating access on the Storage Access API.

2c. The -01 draft of "Incrementally Better Cookies" (
https://tools.ietf.org/html/draft-west-cookie-incrementalism) has some
updates of interest to folks on this list. In particular, it specifies the
proposals discussed in https://github.com/mikewest/scheming-cookies and
https://github.com/sbingler/schemeful-same-site in a little more detail.

In particular, I'd appreciate feedback on section 3.6 of that draft
<https://tools.ietf.org/html/draft-west-cookie-incrementalism-01#section-3.6>,
which aims to more reasonably define the notion of a "session" from a user
agent's perspective (with, admittedly, a browser/HTML-specific view of the
concepts a user agent might need to know about)

Thanks!

-mike

Received on Tuesday, 26 May 2020 14:19:34 UTC