Re: Delete-Cookie header?? from Johann Hofmann on 2025-03-24 (ietf-http-wg@w3.org from January to March 2025)

From: Johann Hofmann <johannhof@google.com>
Date: Mon, 24 Mar 2025 09:52:19 -0400
To: Martin Thomson <mt@lowentropy.net>
Cc: Yoav Weiss <yoav.weiss@shopify.com>, Rory Hewitt <rory.hewitt@gmail.com>, Daniel Stenberg <daniel@haxx.se>, Willy Tarreau <w@1wt.eu>, Daniel Veditz <dveditz@mozilla.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAD_OO4hLqT2CFewzOyQroNX9-+QMWHDx3rnfoFoVQu7iS1pucA@mail.gmail.com>

FWIW, I agree with Yoav and Martin. It also seems like this would be safe
to retrofit later if there's strong demand.

On Fri, Mar 21, 2025 at 4:59 PM Martin Thomson <mt@lowentropy.net> wrote:

>
>
> On Fri, Mar 21, 2025, at 23:49, Yoav Weiss wrote:
> > I don't necessarily see a use case for this (and the same effect can be
> > achieved by setting an expired cookie, right?)
> > So I'd prefer to keep things as simple as possible and not go that
> > route.
>
> I agree. The simplest design here deletes all cookies with a matching
> name. Limited, of course, to those that can be read/set.
>
> Sites that rely on path or domain to separate cookies of the same name -
> and want to delete some, but not all - won’t be able to do that. They will
> have to use Set-Cookie. That seems fine to me. We don’t have to define a
> solution that is perfectly general.
>
>

Received on Monday, 24 March 2025 13:52:38 UTC