- From: Johann Hofmann <johannhof@google.com>
- Date: Wed, 30 Apr 2025 16:25:25 -0400
- To: Julian Reschke <julian.reschke@gmx.de>
- Cc: ietf-http-wg@w3.org
- Message-ID: <CAD_OO4gb_2NdrEp6PM8rWBjHPK=XBb_oFQY-fvf09D80p+MVZA@mail.gmail.com>
(Thank you everyone for the statements of support) Hi Daniel and Julian, As to why we're proposing this change overall, there's a longer writeup at https://lists.w3.org/Archives/Public/ietf-http-wg/2024OctDec/0278.html, we also presented this work at the last two IETF meetings, but I'll try to summarize again here: 6265bis makes a lot of really important changes to Cookies, especially with regards to security, and has been in development for a very long time, and it made a lot of sense to move it to publication. At the same time, browsers are working on new fundamental Cookie features and concepts such as Partitioning, Third-Party Cookie Blocking, "Storage" Access and others, that would need to be incorporated into a new Cookie specification. One thing we found was that the current "layering" and integration between the various browser specs and 6265bis are not ideal: Concrete manifestations of that are SameSite handling and the "Cookie Store API" specification, which lack the proper integration to specify exact behavior that can be implemented interoperably by all implementors. This is very visible in Cookie Store API where things like Cookie change events are entirely unspecified (but implemented by Chrome). I think 3986 vs URL is something that we can figure out as we work on this draft. The main goal of this revision is to make sure browsers can actually implement a well-defined and interoperable version of cookies, and it feels necessary to have some layer on the Cookie spec side that is compatible with the URL parser browsers are using. Anne can probably speak more to this. We could file an issue and take it from there. Cheers, Johann On Wed, Apr 30, 2025 at 12:33 AM Julian Reschke <julian.reschke@gmx.de> wrote: > Am 29.04.2025 um 08:22 schrieb Daniel Stenberg: > > On Sat, 19 Apr 2025, Mark Nottingham wrote: > > > >> This is a Call for Adoption of the following document: > >> https://www.ietf.org/archive/id/draft-annevk-johannhof-httpbis- > >> cookies-01.html > > > > I'm curious on this group's, and the IETF's in general, take on > > references to (moving) WHATWG documents instead of IETF ones, like this > > draft introduces. > > > > See [INFRA] and [URL]. > > > > I'm in particular concernced about the second, as I believe its > > inconsistencies with RFC 3986 and the effects of those differences (if > > any) on cookies are hard to assess. In particular since that document, > > contrary to IETF documents, is a "living" document. What was true > > yesterday might not be true tomorrow. If there is no (practical) > > difference, I figure referencing RFC 3986 would be better, as that is > > fixed and known. > > Yes. > > (and I feel we have that discussion the 1000th time) > > If RFC 3986 is ok for 6265, why isn't that the case for the revision? > > Speaking of which, why do we replace a document that we just sent to the > IESG with something that (on first glance) looks like a completely new > document? > > Do we have a problem statement somewhere? > > Best regards, Julian > > >
Received on Wednesday, 30 April 2025 20:25:42 UTC