[w3ctag/design-reviews] Cookie Expires/Max-Age attribute upper limit (Issue #729)

Braw mornin' TAG!

I'm requesting a TAG review of Cookie Expires/Max-Age attribute upper limit.

When cookies are set with an explicit Expires/Max-Age attribute the value will now be capped to no more than 400 days in the future. Previously, there was no limit and cookies could expire multiple millennia in the future.

The draft of [rfc6265bis](https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html) now contains an upper limit for Cookie Expires/Max-Age attributes. As written:
`The user agent MUST limit the maximum value of the [Max-Age/Expiration] attribute. The limit MUST NOT be greater than 400 days (34560000 seconds) in duration. The RECOMMENDED limit is 400 days in duration, but the user agent MAY adjust the limit to be less. [Max-Age/Expiration] attributes that are greater than the limit MUST be reduced to the limit.`
 
400 days was chosen as a round number close to 13 months in duration. 13 months was chosen to ensure that sites one visits roughly once a year (e.g. picking health insurance benefits) will continue to work.
 
According to measurements in Chrome, of all cookies set, about 20% have an Expires/Max-Age further than 400 days in the future. Of that 20%: half target 2 years, a quarter target 10 years or more, and the remainder are spread over the rest of the range.

- Explainer: https://github.com/httpwg/http-extensions/pull/1732

- Specification URL: https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html

- Tests:
  - https://source.chromium.org/chromium/chromium/src/+/main:net/cookies/canonical_cookie_unittest.cc (see test names starting with `CanonicalCookieWithClampingTest`).
  - WPT has [some](http://third_party/blink/web_tests/external/wpt/cookie-store/cookieListItem_attributes.https.any.js) (and [support for more](https://github.com/web-platform-tests/rfcs/pull/108) is being added)
- Security and Privacy self-review: [https://github.com/httpwg/http-extensions/blob/main/archive/tag/cookie-expires-clamping.md](https://github.com/httpwg/http-extensions/blob/main/archive/writeups/tag-security-privacy-cookie-expires-clamping.md)
- GitHub repo (if you prefer feedback filed there): https://github.com/httpwg/http-extensions/

- Primary contacts (and their relationship to the specification):
  - Ari Chivukula (@arichiv - contributor)
  - Mike Taylor (@miketaylr - contributor)
- Organization(s)/project(s) driving the specification: Chromium
- Key pieces of existing multi-stakeholder review or discussion of this specification:
  - Mozilla’s position: https://github.com/mozilla/standards-positions/issues/592

  - Webkit’s position: https://lists.webkit.org/pipermail/webkit-dev/2022-January/032096.html

- External status/issue trackers for this specification (publicly visible, e.g. Chrome Status):
  - https://crbug.com/1264458

  - https://www.chromestatus.com/feature/4887741241229312 

Further details:
- I have reviewed the TAG's [Web Platform Design Principles](https://w3ctag.github.io/design-principles/)
- The group where the work on this specification is currently being done: HTTPWG
- The group where standardization of this work is intended to be done (if current group is a community group or other incubation venue): N/A
- Major unresolved issues with or opposition to this specification: N/A
- This work is being funded by: Google

We'd prefer the TAG provide feedback as (please delete all but the desired option):

  🐛 open issues in our [GitHub repo](https://github.com/httpwg/http-extensions/) for **each point of feedback**

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/729

You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/729@github.com>