Re: Delete-Cookie header??

As a first party coockie holder you may set an expiration date on the
coockie you have created.

Allowing cross site coockie deletion would enable issues for users as an
attacker may remove all mostly used coockie names

On Thu, Oct 31, 2024, 12:39 Yoav Weiss <yoav.weiss@shopify.com> wrote:

>
>
> On Thu, Oct 31, 2024 at 11:15 AM Daniel Stenberg <daniel@haxx.se> wrote:
>
>> On Thu, 31 Oct 2024, Yoav Weiss wrote:
>>
>> > `Delete-Cookie: name1, name2` as an example syntax, which seems simple
>> > enough and can get the job done.
>>
>> Since cookies are hierchical, it should probably be noted that this list
>> identifying 'name1' and 'name2' can in fact match numerous cookies (for
>> different paths), not just two and there is no way for this syntax to
>> delete
>> just a subset of them.
>>
>
> That's true. At the same time, the use case at hand is one where we want
> to delete cookies when we have no knowledge of their path.
> So I believe it's fine to delete all matching cookies.
>
> +Colin Bendell <colin.bendell@shopify.com> to keep me honest, as he's
> closer to this work.
>
>
>>
>> --
>>
>>   / daniel.haxx.se
>>
>

Received on Thursday, 31 October 2024 10:49:39 UTC