Re: [whatwg/fetch] Integrate with new draft cookie spec (draft-annevk-johannhof-httpbis-cookies/00+ε) (PR #1807) from Anne van Kesteren on 2025-04-09 (public-webapps-github@w3.org from April 2025)

From: Anne van Kesteren <notifications@github.com>
Date: Wed, 09 Apr 2025 08:56:01 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/pull/1807/review/2753963204@github.com>
@annevk commented on this pull request.

You need to coordinate with @DCtheTall what additional calls into the IETF draft to make. This is not handling clearing cookies after storing, clearing cookies from UI, or clearing cookies periodically. We need to have some wording for all of that in the "Cookies" section.

> +<p>A <a for=/>request</a> has a <dfn for=request id=concept-request-redirect-taint>redirect-taint</dfn>,
+which is "<code>same-origin</code>", "<code>same-site</code>", or "<code>cross-site</code>".
+<p>To get <a for=/>request</a> <var>request</var>'s <a>redirect-taint</a>:

```suggestion
<p>To compute the <dfn for=request id=concept-request-redirect-taint>redirect-taint</dfn> of a 
<a for=/>request</a> <var>request</var>, perform the following steps. They return
"<code>same-origin</code>", "<code>same-site</code>", or "<code>cross-site</code>".
```

> @@ -2486,8 +2516,9 @@ this is also tracked internally using the request's <a for=request>timing allow
 <dfn export for=response>service worker timing info</dfn> (null or a
 <a for=/>service worker timing info</a>), which is initially null.
 
-<p>A <a for=/>response</a> has an associated <dfn for=response>has-cross-origin-redirects</dfn>
-(a boolean), which is initially false.
+<p>A <a for=/>response</a> has an associated <dfn for=response>redirect taint</dfn>
+("<code>same-origin</code>", "<code>same-site</code>", or "<code>cross-site</code>", which is

```suggestion
("<code>same-origin</code>", "<code>same-site</code>", or "<code>cross-site</code>"), which is
```

> @@ -4225,7 +4256,108 @@ indicates the request’s purpose is to fetch a resource that is anticipated to
 <p class=note>The server can use this to adjust the caching expiry for prefetches, to disallow the
 prefetch, or to treat it differently when counting page visits.
 
+<h2 id=cookies>Cookies</h2>
+
+<h3 id=cookie-header>`<code>Cookie</code>` header</h3>
+
+<p>The `<code>Cookie</code>` header is largely defined in its own specification. [[COOKIES]].
+We define infrastructure to be able to use them conveniently here.
+
+<div algorithm>
+<p>To <dfn id=append-a-request-cookie-header>append a request `<code>Cookie</code>` header</dfn>,
+given a <a for=/>request</a> <var>request</var>, run these steps:
+
+<ol>
+  <li><p>If the user-agent is configured to disable cookies for <var>request</var>, it should

- Single-space indentation (applies throughout).
- user agent (without hyphen)
- then it should return*

> +<div algorithm>
+<p>To <dfn id=append-a-request-cookie-header>append a request `<code>Cookie</code>` header</dfn>,
+given a <a for=/>request</a> <var>request</var>, run these steps:
+
+<ol>
+  <li><p>If the user-agent is configured to disable cookies for <var>request</var>, it should
+  return.
+
+  <li><p>Let |sameSite| be the result of [=determining the same-site mode=] for <var>request</var>.
+
+  <li><p>Let |isSecure| be false.
+
+  <li><p>If <var>request</var>'s <a for=request>client</a> is a <a>secure context</a>, then set
+  |isSecure| to true.
+
+  <li><p>Let |httpOnlyAllowed| be true.

This `<li>` contains multiple children so the `<p>` needs to be on its own line (and indented, as should the next `<p>`)

> +given a <a for=/>request</a> <var>request</var>, run these steps:
+
+<ol>
+  <li><p>If the user-agent is configured to disable cookies for <var>request</var>, it should
+  return.
+
+  <li><p>Let |sameSite| be the result of [=determining the same-site mode=] for <var>request</var>.
+
+  <li><p>Let |isSecure| be false.
+
+  <li><p>If <var>request</var>'s <a for=request>client</a> is a <a>secure context</a>, then set
+  |isSecure| to true.
+
+  <li><p>Let |httpOnlyAllowed| be true.
+
+  <p class=note>Fetch implies that the request is http-only, as opposed to document.cookie

This needs to use a bit more formal language and `<code>` as appropriate. Also a trailing dot.

> +<ol>
+  <li><p>If the user-agent is configured to disable cookies for <var>request</var>, it should
+  return.
+
+  <li><p>Let |sameSite| be the result of [=determining the same-site mode=] for <var>request</var>.
+
+  <li><p>Let |isSecure| be false.
+
+  <li><p>If <var>request</var>'s <a for=request>client</a> is a <a>secure context</a>, then set
+  |isSecure| to true.
+
+  <li><p>Let |httpOnlyAllowed| be true.
+
+  <p class=note>Fetch implies that the request is http-only, as opposed to document.cookie
+
+  <li><p>Let |cookies| be the result of running <a>retrieve cookies</a> given |isSecure|,

`<li>` with multiple children comment (see above).

> +  return.
+
+  <li><p>Let |sameSite| be the result of [=determining the same-site mode=] for <var>request</var>.
+
+  <li><p>Let |isSecure| be false.
+
+  <li><p>If <var>request</var>'s <a for=request>client</a> is a <a>secure context</a>, then set
+  |isSecure| to true.
+
+  <li><p>Let |httpOnlyAllowed| be true.
+
+  <p class=note>Fetch implies that the request is http-only, as opposed to document.cookie
+
+  <li><p>Let |cookies| be the result of running <a>retrieve cookies</a> given |isSecure|,
+  <var>request</var>'s <a for=request>current URL</a>'s <a for=url>host</a>, <var>request</var>'s
+  <a for=request>current URL</a>'s <a for=url>path</a>, |httpOnlyAllowed|, and |sameSite|

Trailing dot.

> +  <a for=request>current URL</a>'s <a for=url>path</a>, |httpOnlyAllowed|, and |sameSite|
+
+  <p class=note>It is expected that the cookie store returns an ordered list of cookies
+
+  <li>If |cookies| <a for="list">is empty</a>, then return.
+
+  <li>Let |value| be the result of running <a>serialize cookies</a> given |cookies|.
+
+  <li><a for="header list">Append</a> (`<code>Cookie</code>`, <var>value</var>) to
+  <var>request</var>'s <a for=request>header list</a>.
+</ol>
+</div>
+
+<div algorithm>
+<p>To <dfn id=parse-and-store-response-cookie-headers>parse and store response
+`<code>Set-Cookie</code>` headers</dfn>, given a <a for=/>request</a> <var>request</var> and a <a

No wrapping inside a phrasing-level element (applies multiple times).

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1807#pullrequestreview-2753963204
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/pull/1807/review/2753963204@github.com>
Received on Wednesday, 9 April 2025 15:56:05 UTC