Re: Delete-Cookie header?? from Patrick Meenan on 2024-10-31 (ietf-http-wg@w3.org from October to December 2024)

From: Patrick Meenan <patmeenan@gmail.com>
Date: Thu, 31 Oct 2024 07:52:12 -0400
To: Yoav Weiss <yoav.weiss@shopify.com>
Cc: רועי ברקאי <roybarkayyosef@gmail.com>, Daniel Stenberg <daniel@haxx.se>, Colin Bendell <colin.bendell@shopify.com>, HTTP Working Group <ietf-http-wg@w3.org>, Anne van Kesteren <annevk@apple.com>
Message-ID: <CAJV+MGxsNsS3EhtV1oTeUO3NCSL2Gx6wGG2euhgzKxb3utLguQ@mail.gmail.com>

I'm assuming the scope would be similar to clear-site-data: "cookies"
where, at least in w3c land, it clears across all of the subdomains in the
"registered domain" (https://www.w3.org/TR/clear-site-data/#clear-cookies),
just with the ability to target a specific name instead of nuking
everything.

Should it be limited to the direct hierarchy or should it also impact
same-level origins like clear-site-data does? i.e. bob.example.com clears
from bob.example.com and example.com but should it be able to target
deleting from alice.example.com?

On Thu, Oct 31, 2024 at 6:57 AM Yoav Weiss <yoav.weiss@shopify.com> wrote:

>
>
> ‪On Thu, Oct 31, 2024 at 11:49 AM ‫רועי ברקאי‬‎ <roybarkayyosef@gmail.com>
> wrote:‬
>
>> As a first party coockie holder you may set an expiration date on the
>> coockie you have created.
>>
>
> Sure, but since setting an expiration date requires predicting the future,
> we need a way to correct past predictions that didn't quite work out.
>
>
>> Allowing cross site coockie deletion would enable issues for users as an
>> attacker may remove all mostly used coockie names
>>
>
> Can you expand on that? I wouldn't expect a server to be able to delete
> cookies that it can't receive, if that makes sense.
>
>
>>
>> On Thu, Oct 31, 2024, 12:39 Yoav Weiss <yoav.weiss@shopify.com> wrote:
>>
>>>
>>>
>>> On Thu, Oct 31, 2024 at 11:15 AM Daniel Stenberg <daniel@haxx.se> wrote:
>>>
>>>> On Thu, 31 Oct 2024, Yoav Weiss wrote:
>>>>
>>>> > `Delete-Cookie: name1, name2` as an example syntax, which seems
>>>> simple
>>>> > enough and can get the job done.
>>>>
>>>> Since cookies are hierchical, it should probably be noted that this
>>>> list
>>>> identifying 'name1' and 'name2' can in fact match numerous cookies (for
>>>> different paths), not just two and there is no way for this syntax to
>>>> delete
>>>> just a subset of them.
>>>>
>>>
>>> That's true. At the same time, the use case at hand is one where we want
>>> to delete cookies when we have no knowledge of their path.
>>> So I believe it's fine to delete all matching cookies.
>>>
>>> +Colin Bendell <colin.bendell@shopify.com> to keep me honest, as he's
>>> closer to this work.
>>>
>>>
>>>>
>>>> --
>>>>
>>>>   / daniel.haxx.se
>>>>
>>>

Received on Thursday, 31 October 2024 11:52:28 UTC