- From: Yoav Weiss <yoav.weiss@shopify.com>
- Date: Thu, 31 Oct 2024 11:05:30 +0100
- To: HTTP Working Group <ietf-http-wg@w3.org>, Anne van Kesteren <annevk@apple.com>
- Message-ID: <CALYmMadr6ZEjY3NPt1h9siJRe_uJN0=K66=cYrxmNAY45H83Lg@mail.gmail.com>
Hey folks!! A few months back, I suggested <https://github.com/w3c/webappsec-clear-site-data/issues/82> adding a granular way to delete cookies on the WebAppSec Clear-Site-Data repo, and folks suggested the IETF may be a more appropriate venue. Essentially, when operating large websites, one can find themselves facing "cookie cruft" - cookies that no longer have backend logic that corresponds with them. Such cookies may have been set at some point in the past with far-reaching expiration dates, and are now causing useless cookie bloat at best, or using up quotas at the expense of relevant cookies at worst <https://blog.yoav.ws/posts/how_chromium_cookies_get_evicted/>. The ability to delete duplicate/invalid cookies can also help defend against certain attacks. Deleting cookies is possible today by setting their expiry date to one in the past <https://blog.yoav.ws/posts/how_chromium_cookies_get_evicted/#:~:text=Otherwise%2C%20if%20you,aiming%20to%20delete.>, but that requires one to know the "domain" and "path" parameters with which they were set, which is not something that can be passively observed on the server side (without jumping through a bunch of hoops and encode those in the cookie name/value). It'd be useful to have a way to clear specific cookie names regardless of their path and domain. On the issue <https://github.com/w3c/webappsec-clear-site-data/issues/82#issuecomment-2216991247> , +Anne van Kesteren <annevk@apple.com> suggested `Delete-Cookie: name1, name2` as an example syntax, which seems simple enough and can get the job done. What do y'all think? Cheers :) Yoav
Received on Thursday, 31 October 2024 10:05:47 UTC