- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Tue, 10 Dec 2024 10:29:46 +0100
- To: Willy Tarreau <w@1wt.eu>
- Cc: Johann Hofmann <johannhof@google.com>, HTTP Working Group <ietf-http-wg@w3.org>, "dylancutler@google.com" <dylancutler@google.com>, Steven Bingler <bingler@google.com>
On Tue, Dec 10, 2024 at 8:01 AM Willy Tarreau <w@1wt.eu> wrote: > Just to be clear, what is the exact goal here ? Is it to "only" provide > a replacement to 6265 taking reality into account, or also to propose > improvements to the standard ? Both are interesting and useful, I'm > just trying to be sure not to be out of topic. There's several goals we had in mind. In order of importance: - Improving the integration between Cookies and a myriad of web platform specifications, such as Fetch, HTML's document.cookie, and Storage Access API. - Thereby better formalizing how "third-party" cookies are to be handled. - Integrating and standardizing the Partitioned attribute, assuming agreement. But I would not be opposed to further additions that reach agreement and are relatively straightforward to incorporate. In particular your "logout" use case below seems similar to Yoav's Delete-Cookie header idea and it probably is too hard to clear cookies currently, so that seems worth looking into. > For example I'd really like to have a way for a server to clear all > (session?) cookies for the current site and possibly a path, the > typical "logout" button. I know there's no way to guarantee that, > but if we could do something like: > > set-cookie: *=; Expires=Thu, 01 Jan 1970 00:00:00 GMT > > and let the browser flush all the cookies it knows for that site, that > would be a huge step into helping logout clear cookies. [ ... ] > > Another one would be to see if UAs support an expires between quotes, > because that could be the way forward to maybe one day support folding > multiple set-cookie header fields into a single, comma-delimited one. Would this enable certain protocol optimizations as you no longer have the Set-Cookie header exception? This might be more difficult than just Expires as currently the name and value of a cookie can contain a comma as well. And although that is non-conforming I'm not sure you would want to tightly couple the value space of cookies to the HTTP protocol version. Opening an issue to think through the potential benefits and consider whether that ends up being worth it seems reasonable to me.
Received on Tuesday, 10 December 2024 09:30:04 UTC