Re: [w3ctag/design-reviews] Cookie Store API (#469)

@lknik Thank you for the feedback!

>I see that the questionnaire filled as it stands now, does not address cookie capability in service workers (which currently have no access to cookies), did you look at it and perhaps it would be possible to amend that?

We've updated the questionnaire (https://github.com/WICG/cookie-store/blob/master/security-privacy-self-assessment.md#33-does-this-specification-introduce-new-state-for-an-origin-that-persists-across-browsing-sessions).

Thank you for pointing out this gap in our explanation.

As a guiding principle, we want the Cookie Store API to match the access level of the existing `document.cookie` API. We do not want to expand a page's acess to cookie data, and we're OK with reducing access in some edge cases, such as non-secure contexts. 

We think that Service Workers can currently access the cookies of any URL under their scope. For example, a service worker could respond to any top-level request with an HTML document embedding an `<iframe>` pointing to the desired URL. When responding to the request for that URL, the Service Worker can respond with an HTML document containing a `<script>` that proxies the Service Worker's access to the `document.cookie` API using `postMessage`. 

For this reason, we think that our API doesn't change the security properties of cookies on the Web Platform. We only intend to provide high-performance alternatives to the current cookie access methods. We hope this allows developers to improve the user experience on sites that rely on cookies.

>is the API implemented already?

We have implemented the API behind a flag in Chrome. The API will undergo at least one more Origin Trial before we consider shipping it. We look forward to the TAG's feedback, and are eager to improve the API based on it.


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/469#issuecomment-594167938