- From: Mike West <notifications@github.com>
- Date: Tue, 24 Mar 2020 02:41:38 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3ctag/design-reviews/issues/483/603133947@github.com>
> [title] & [problem statement] Addressed in https://github.com/mikewest/scheming-cookies/commit/bb525531232d2f4b27d624a1058922ec4f37b6ac. > How does this relate to other schemes besides http and https This is explicitly addressed (as `weird-scheme:`) in https://github.com/mikewest/scheming-cookies#cookies-scope. Is there text I could add there that would help clarify? > Cookie headers are only defined for HTTP. Cookie headers are one part of the problem, `document.cookie` is another. Chromium, at least, allows `document.cookie` to read and write to a cookie jar from non-HTTP(S) schemes, which could in theory collide with a web-facing hostname. Though we're fairly confident that there's little risk of collision today (and we create separate cookie jars under the hood for things like extensions), we'd like to harden that boundary by simply taking the scheme into account. > > Has there been feedback from other browsers since you filed the issue? > > (I think I can say Mozilla is interested, but not sure about Sec-Nonsecure-Cookie.) There's also been mild engagement in https://lists.w3.org/Archives/Public/ietf-http-wg/2020JanMar/0188.html, with a little more discussion of the `Sec-Nonsecure-Cookie` carveout, and alternative proposals (in https://lists.w3.org/Archives/Public/ietf-http-wg/2020JanMar/0195.html, for example). -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/483#issuecomment-603133947
Received on Tuesday, 24 March 2020 09:42:22 UTC