Re: [whatwg/fetch] Integrate with new draft cookie spec (draft-annevk-johannhof-httpbis-cookies/00+ε) (PR #1807) from bvandersloot-mozilla on 2025-04-14 (public-webapps-github@w3.org from April 2025)

From: bvandersloot-mozilla <notifications@github.com>
Date: Mon, 14 Apr 2025 08:05:20 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/pull/1807/review/2764683301@github.com>

@bvandersloot-mozilla commented on this pull request.



> +given a <a for=/>request</a> <var>request</var>, run these steps:
+
+<ol>
+  <li><p>If the user-agent is configured to disable cookies for <var>request</var>, it should
+  return.
+
+  <li><p>Let |sameSite| be the result of [=determining the same-site mode=] for <var>request</var>.
+
+  <li><p>Let |isSecure| be false.
+
+  <li><p>If <var>request</var>'s <a for=request>client</a> is a <a>secure context</a>, then set
+  |isSecure| to true.
+
+  <li><p>Let |httpOnlyAllowed| be true.
+
+  <p class=note>Fetch implies that the request is http-only, as opposed to document.cookie

How does this change look:

<p class=note>Since this algorithm is performed on a <a for=/>request</a>, we know that the
cookies were produced from HTTP, rather than script mechanisms such as
<code>document.cookie</code>.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1807#discussion_r2042348122
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/pull/1807/review/2764683301@github.com>

Received on Monday, 14 April 2025 15:05:24 UTC