- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Tue, 25 Feb 2025 14:05:57 -0800
- To: Rory Hewitt <rory.hewitt@gmail.com>
- Cc: Patrick Meenan <patmeenan@gmail.com>, רועי ברקאי <roybarkayyosef@gmail.com>, Yoav Weiss <yoav.weiss@shopify.com>, Daniel Stenberg <daniel@haxx.se>, Colin Bendell <colin.bendell@shopify.com>, HTTP Working Group <ietf-http-wg@w3.org>, Anne van Kesteren <annevk@apple.com>
On Tue, Feb 25, 2025 at 1:36 PM Rory Hewitt <rory.hewitt@gmail.com> wrote: > store the domain of the server which created the cookie [.... A] Delete-Cookie > header could be accepted only if it came from the same server domain. I like it because it solves my delete-abuse worries, but I don't think it solves Yoav's original problem. He can see a cookie is being sent to him but he's not sure where it came from. It might be from a malicious sibling domain. We'd also have to worry about modifying cookies. If we similarly restrict that I bet we'll break stuff, and if we don't we have to decide on the various downsides of also updating the "creating hostname" or not. We shouldn't only restrict another same-site domain from setting max-age to 0: either restrict updating the cookie or don't, but don't treat attributes and values differently. In the end I think this is more complication than it's worth. -Dan Veditz
Received on Tuesday, 25 February 2025 22:06:27 UTC