On Fri, Mar 21, 2025 at 5:34 PM Rory Hewitt <rory.hewitt@gmail.com> wrote: > So the question is, without getting too into the weeds, do we want to > allow the Delete-Cookie header to explicitly specify path, domain etc.? > > Since the current spec has the cookie name as a quoted string, then you > *could* have: > > Delete-Cookie: "my-cookie; Path=/client; Domain=example.com" > > > But this is probably getting too detailed and might not add much benefit. > I don't necessarily see a use case for this (and the same effect can be achieved by setting an expired cookie, right?) So I'd prefer to keep things as simple as possible and not go that route. > On Fri, Mar 21, 2025 at 3:00 AM Martin Thomson <mt@lowentropy.net> wrote: > >> My understanding is that all cookies that can be read by the origin and >> that have the identified name are deleted. >> >> This means that the domain only matters to the extent that it includes >> the present origin and the path does not matter. >> >> On Thu, Mar 20, 2025, at 22:52, Rory Hewitt wrote: >> > Quick thoughts: >> > >> > If a client has two same-named cookies with different domains and/or >> > paths, do they all get deleted? For example, they were sent the >> > following Set-Cookie headers from the example.com server: >> > >> > Set-Cookie: my-cookie=abc; Path=/; Domain=www.example.com >> > Set-Cookie: my-cookie=def; Path=/client; Domain=example.com >> > >> > What happens if the server at example.com sends: >> > >> > Delete-Cookie: "my-cookie" >> > >> > Do they both get deleted? > >
Received on Friday, 21 March 2025 16:49:28 UTC