On Thu, Oct 31, 2024 at 11:49 AM רועי ברקאי <roybarkayyosef@gmail.com> wrote: > As a first party coockie holder you may set an expiration date on the > coockie you have created. > Sure, but since setting an expiration date requires predicting the future, we need a way to correct past predictions that didn't quite work out. > Allowing cross site coockie deletion would enable issues for users as an > attacker may remove all mostly used coockie names > Can you expand on that? I wouldn't expect a server to be able to delete cookies that it can't receive, if that makes sense. > > On Thu, Oct 31, 2024, 12:39 Yoav Weiss <yoav.weiss@shopify.com> wrote: > >> >> >> On Thu, Oct 31, 2024 at 11:15 AM Daniel Stenberg <daniel@haxx.se> wrote: >> >>> On Thu, 31 Oct 2024, Yoav Weiss wrote: >>> >>> > `Delete-Cookie: name1, name2` as an example syntax, which seems simple >>> > enough and can get the job done. >>> >>> Since cookies are hierchical, it should probably be noted that this list >>> identifying 'name1' and 'name2' can in fact match numerous cookies (for >>> different paths), not just two and there is no way for this syntax to >>> delete >>> just a subset of them. >>> >> >> That's true. At the same time, the use case at hand is one where we want >> to delete cookies when we have no knowledge of their path. >> So I believe it's fine to delete all matching cookies. >> >> +Colin Bendell <colin.bendell@shopify.com> to keep me honest, as he's >> closer to this work. >> >> >>> >>> -- >>> >>> / daniel.haxx.se >>> >>
Received on Thursday, 31 October 2024 10:54:55 UTC