Re: [whatwg/fetch] Integrate with new draft cookie spec (draft-annevk-johannhof-httpbis-cookies/00+ε) (PR #1807)

@annevk commented on this pull request.



> @@ -54,10 +54,29 @@ urlPrefix:https://tc39.es/ecma262/#;type:dfn;spec:ecma-262
     url:realm;text:realm
     url:sec-list-and-record-specification-type;text:Record
     url:current-realm;text:current realm
+
+urlPrefix:https://www.ietf.org/archive/id/draft-annevk-johannhof-httpbis-cookies-00.html#;type:dfn;spec:cookies

https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-layered-cookies

(for drafts we typically use datatracker so we don't have to update all links for each revision)

>  </pre>
 
 <pre class=biblio>
 {
+    "COOKIES": {
+      "authors": ["Johann Hofmann", "Anne van Kesteren"],
+      "href": "https://www.ietf.org/archive/id/draft-annevk-johannhof-httpbis-cookies-00.html",

https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-layered-cookies

>  </pre>
 
 <pre class=biblio>
 {
+    "COOKIES": {
+      "authors": ["Johann Hofmann", "Anne van Kesteren"],
+      "href": "https://www.ietf.org/archive/id/draft-annevk-johannhof-httpbis-cookies-00.html",
+      "title": "Cookies: HTTP State Management Mechanism"

```suggestion
      "title": "Cookies: HTTP State Management Mechanism",
      "publisher": "IETF",
```

> @@ -1938,6 +1957,10 @@ not always relevant and might require different behavior.
 "<code>client</code>" or an <a for=/>origin</a>. Unless stated otherwise it is
 "<code>client</code>".
 
+<p>A <a for=/>request</a> has an associated
+<dfn export for=request id=concept-request-navigation-initiator-origin>top-level navigation
+initiator origin</dfn>, which is an <a for=/>origin</a> or null. Unless stated otherwise it is null.

New newlines inside phrasing-level elements.

> @@ -4225,7 +4257,133 @@ indicates the request’s purpose is to fetch a resource that is anticipated to
 <p class=note>The server can use this to adjust the caching expiry for prefetches, to disallow the
 prefetch, or to treat it differently when counting page visits.
 
+<h2 id=cookies>Cookies</h2>

I think a h2 is preceded by three newlines typically. (Please double check.)

> @@ -4225,7 +4257,133 @@ indicates the request’s purpose is to fetch a resource that is anticipated to
 <p class=note>The server can use this to adjust the caching expiry for prefetches, to disallow the
 prefetch, or to treat it differently when counting page visits.
 
+<h2 id=cookies>Cookies</h2>
+
+<h3 id=cookie-header>`<code>Cookie</code>` header</h3>
+
+<p>The `<code>Cookie</code>` header is largely defined in its own specification. [[COOKIES]].
+We define infrastructure to be able to use them conveniently here.
+
+<div algorithm>
+<p>To <dfn id=append-a-request-cookie-header>append a request `<code>Cookie</code>` header</dfn>,
+given a <a for=/>request</a> <var>request</var>, run these steps:

```suggestion
given a <a for=/>request</a> <var>request</var>:
```

> @@ -4225,7 +4257,133 @@ indicates the request’s purpose is to fetch a resource that is anticipated to
 <p class=note>The server can use this to adjust the caching expiry for prefetches, to disallow the
 prefetch, or to treat it differently when counting page visits.
 
+<h2 id=cookies>Cookies</h2>
+
+<h3 id=cookie-header>`<code>Cookie</code>` header</h3>
+
+<p>The `<code>Cookie</code>` header is largely defined in its own specification. [[COOKIES]].
+We define infrastructure to be able to use them conveniently here.
+
+<div algorithm>
+<p>To <dfn id=append-a-request-cookie-header>append a request `<code>Cookie</code>` header</dfn>,
+given a <a for=/>request</a> <var>request</var>, run these steps:
+
+<ol>
+ <li><p>If the user agent is configured to disable cookies for <var>request</var>, it should

then it should*

>  
+  <p class=note>True follows from this being invoked from <a>fetch</a>, as opposed to the
+  <code>document.cookie</code> getter steps for instance.
+
+ <li>
+  <p>Let |cookies| be the result of running <a>retrieve cookies</a> given |isSecure|,
+  <var>request</var>'s <a for=request>current URL</a>'s <a for=url>host</a>, <var>request</var>'s
+  <a for=request>current URL</a>'s <a for=url>path</a>, |httpOnlyAllowed|, and |sameSite|.
+
+  <p class=note>It is expected that the cookie store returns an ordered list of cookies

```suggestion
  <p class=note>The cookie store returns an ordered list of cookies.
```
We can state it as a fact as we know this to be true. Unfortunately we can't quite assert it, but this is close enough.

>  
+  <p class=note>True follows from this being invoked from <a>fetch</a>, as opposed to the
+  <code>document.cookie</code> getter steps for instance.
+
+ <li>
+  <p>Let |cookies| be the result of running <a>retrieve cookies</a> given |isSecure|,
+  <var>request</var>'s <a for=request>current URL</a>'s <a for=url>host</a>, <var>request</var>'s
+  <a for=request>current URL</a>'s <a for=url>path</a>, |httpOnlyAllowed|, and |sameSite|.
+
+  <p class=note>It is expected that the cookie store returns an ordered list of cookies
+
+ <li>If |cookies| <a for="list">is empty</a>, then return.

```suggestion
 <li><p>If |cookies| <a for="list">is empty</a>, then return.
```

>  
+  <p class=note>True follows from this being invoked from <a>fetch</a>, as opposed to the
+  <code>document.cookie</code> getter steps for instance.
+
+ <li>
+  <p>Let |cookies| be the result of running <a>retrieve cookies</a> given |isSecure|,
+  <var>request</var>'s <a for=request>current URL</a>'s <a for=url>host</a>, <var>request</var>'s
+  <a for=request>current URL</a>'s <a for=url>path</a>, |httpOnlyAllowed|, and |sameSite|.
+
+  <p class=note>It is expected that the cookie store returns an ordered list of cookies
+
+ <li>If |cookies| <a for="list">is empty</a>, then return.
+
+ <li>Let |value| be the result of running <a>serialize cookies</a> given |cookies|.

```suggestion
 <li><p>Let |value| be the result of running <a>serialize cookies</a> given |cookies|.
```

>  
+  <p class=note>True follows from this being invoked from <a>fetch</a>, as opposed to the
+  <code>document.cookie</code> getter steps for instance.
+
+ <li>
+  <p>Let |cookies| be the result of running <a>retrieve cookies</a> given |isSecure|,
+  <var>request</var>'s <a for=request>current URL</a>'s <a for=url>host</a>, <var>request</var>'s
+  <a for=request>current URL</a>'s <a for=url>path</a>, |httpOnlyAllowed|, and |sameSite|.
+
+  <p class=note>It is expected that the cookie store returns an ordered list of cookies
+
+ <li>If |cookies| <a for="list">is empty</a>, then return.
+
+ <li>Let |value| be the result of running <a>serialize cookies</a> given |cookies|.
+
+ <li><a for="header list">Append</a> (`<code>Cookie</code>`, <var>value</var>) to

```suggestion
 <li><p><a for="header list">Append</a> (`<code>Cookie</code>`, <var>value</var>) to
```

> +  <var>request</var>'s <a for=request>current URL</a>'s <a for=url>host</a>, <var>request</var>'s
+  <a for=request>current URL</a>'s <a for=url>path</a>, |httpOnlyAllowed|, and |sameSite|.
+
+  <p class=note>It is expected that the cookie store returns an ordered list of cookies
+
+ <li>If |cookies| <a for="list">is empty</a>, then return.
+
+ <li>Let |value| be the result of running <a>serialize cookies</a> given |cookies|.
+
+ <li><a for="header list">Append</a> (`<code>Cookie</code>`, <var>value</var>) to
+ <var>request</var>'s <a for=request>header list</a>.
+</ol>
+</div>
+
+<div algorithm>
+<p>To <dfn id=parse-and-store-response-cookie-headers>parse and store response

No newlines inside phrasing-level elements. You'll have to wrap just before the `<dfn>` and after `</dfn>`.

> +
+  <p class=note>It is expected that the cookie store returns an ordered list of cookies
+
+ <li>If |cookies| <a for="list">is empty</a>, then return.
+
+ <li>Let |value| be the result of running <a>serialize cookies</a> given |cookies|.
+
+ <li><a for="header list">Append</a> (`<code>Cookie</code>`, <var>value</var>) to
+ <var>request</var>'s <a for=request>header list</a>.
+</ol>
+</div>
+
+<div algorithm>
+<p>To <dfn id=parse-and-store-response-cookie-headers>parse and store response
+`<code>Set-Cookie</code>` headers</dfn>, given a <a for=/>request</a> <var>request</var> and a
+<a for=/>response</a> <var>response</var>, run these steps:

```suggestion
<a for=/>response</a> <var>response</var>:
```

> +</div>
+
+<div algorithm>
+<p>To <dfn id=parse-and-store-response-cookie-headers>parse and store response
+`<code>Set-Cookie</code>` headers</dfn>, given a <a for=/>request</a> <var>request</var> and a
+<a for=/>response</a> <var>response</var>, run these steps:
+
+<ol>
+ <li><p>If the user agent is configured to disable cookies for <var>request</var>,
+ then it should return.
+
+ <li><p>Let |allowNonHostOnlyCookieForPublicSuffix| be false.
+
+ <li><p>Let |isSecure| be false.
+
+ <li><p>If <var>request</var>'s <a for=request>client</a> is a <a>secure context</a>, set

then set*

(is client always non-null at this point?)

But also, shouldn't this simply be a function of the request URL's scheme, not the client?

> +  for `<code>Set-Cookie</code>`, <a for=iteration>continue</a>.
+
+  <li><p><a>Parse and store a cookie</a> given <var>header</var>'s <a for=header>value</a>,
+  |isSecure|, <var>request</var>'s <a for=request>current URL</a>'s <a for=url>host</a>,
+  <var>request</var>'s <a for=request>current URL</a>'s <a for=url>path</a>, |httpOnlyAllowed|,
+  |allowNonHostOnlyCookieForPublicSuffix|, and |sameSiteStrictOrLaxAllowed|.
+
+  <li><p><a>Garbage collect cookies</a> given <var>request</var>'s
+  <a for=request>current URL</a>'s <a for=url>host</a>.
+ </ol>
+</ol>
+</div>
+
+<h3 id=cookie-infrastructure>Cookie Infrastructure</h3>
+
+These algorithms are not only for use with the `<code>Cookie</code>` header, and are used in other

```suggestion
<p>These algorithms are not only for use with the `<code>Cookie</code>` header, and are used in other
```
(might need rewrapping too)

> + <ol>
+  <li><p>If <var>header</var>'s <a for=header>name</a> is not a <a>byte-case-insensitive</a> match
+  for `<code>Set-Cookie</code>`, <a for=iteration>continue</a>.
+
+  <li><p><a>Parse and store a cookie</a> given <var>header</var>'s <a for=header>value</a>,
+  |isSecure|, <var>request</var>'s <a for=request>current URL</a>'s <a for=url>host</a>,
+  <var>request</var>'s <a for=request>current URL</a>'s <a for=url>path</a>, |httpOnlyAllowed|,
+  |allowNonHostOnlyCookieForPublicSuffix|, and |sameSiteStrictOrLaxAllowed|.
+
+  <li><p><a>Garbage collect cookies</a> given <var>request</var>'s
+  <a for=request>current URL</a>'s <a for=url>host</a>.
+ </ol>
+</ol>
+</div>
+
+<h3 id=cookie-infrastructure>Cookie Infrastructure</h3>

```suggestion
<h3 id=cookie-infrastructure>Cookie infrastructure</h3>
```

> +<p>To <dfn>determine the same-site mode</dfn> for a given <a for=/>request</a> <var>request</var>,
+run these steps:

```suggestion
<p>To <dfn>determine the same-site mode</dfn> for a given <a for=/>request</a> <var>request</var>:
```

> +  <a for=request>current URL</a>'s <a for=url>host</a>.
+ </ol>
+</ol>
+</div>
+
+<h3 id=cookie-infrastructure>Cookie Infrastructure</h3>
+
+These algorithms are not only for use with the `<code>Cookie</code>` header, and are used in other
+specifications.
+
+<div algorithm>
+<p>To <dfn>determine the same-site mode</dfn> for a given <a for=/>request</a> <var>request</var>,
+run these steps:
+
+<ol>
+ <li><p><a for=/>Assert</a>: <var>request</var>'s <a for=request>method</a> is "GET" or "POST".

Needs to look like "`GET`" so use `<code>` as well.

> +
+<h3 id=cookie-infrastructure>Cookie Infrastructure</h3>
+
+These algorithms are not only for use with the `<code>Cookie</code>` header, and are used in other
+specifications.
+
+<div algorithm>
+<p>To <dfn>determine the same-site mode</dfn> for a given <a for=/>request</a> <var>request</var>,
+run these steps:
+
+<ol>
+ <li><p><a for=/>Assert</a>: <var>request</var>'s <a for=request>method</a> is "GET" or "POST".
+
+ <li><p>If <var>request</var>'s <a for=request>top-level navigation initiator origin</a> is not
+ null and is not <a for=/>same site</a> to <var>request</var>'s <a for=request>URL</a>'s
+ <a for=url>origin</a>, return "<code>UnsetOrLess</code>".

then return (also applies below)

> @@ -6288,14 +6432,9 @@ optional boolean <var>forceNewConnection</var> (default false), run these steps:
  <li><p>Set <var>response</var>'s <a for=response>body</a> to a new <a for=/>body</a> whose
  <a for=body>stream</a> is <var>stream</var>.
 
- <li><p tracking-vector>If <var>includeCredentials</var> is true and the user agent is not
- configured to block cookies for <var>request</var> (see
- <a href=https://httpwg.org/specs/rfc6265.html#privacy-considerations>section 7</a> of
- [[!COOKIES]]), then run the "set-cookie-string" parsing algorithm (see
- <a href=https://httpwg.org/specs/rfc6265.html#set-cookie>section 5.2</a> of [[!COOKIES]]) on the
- <a for=header>value</a> of each <a for=/>header</a> whose <a for=header>name</a> is a
- <a>byte-case-insensitive</a> match for `<code>Set-Cookie</code>` in <var>response</var>'s
- <a for=response>header list</a>, if any, and <var>request</var>'s <a for=request>current URL</a>.
+ <li><p tracking-vector>If <var>includeCredentials</var> is true, the user agent should

```suggestion
 <li><p tracking-vector>If <var>includeCredentials</var> is true, then the user agent should
```

>  </pre>
 
 <pre class=biblio>
 {
+    "COOKIES": {
+      "authors": ["Johann Hofmann", "Anne van Kesteren"],
+      "href": "https://www.ietf.org/archive/id/draft-annevk-johannhof-httpbis-cookies-00.html",
+      "title": "Cookies: HTTP State Management Mechanism"

Although it seems these should be indented more as we use four space indentation here?

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1807#pullrequestreview-2846331688
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/pull/1807/review/2846331688@github.com>

Received on Friday, 16 May 2025 11:33:36 UTC