Re: Cookie controls?

Hey Yoav

Would __Host cookies help here? Maybe I am missing something about the
problem but it feels like they should.


On 16 August 2018 at 01:41, Yoav Weiss <> wrote:

> Hello folks!
> Akamai has ran into some issues with cookies where Cookie Controls
> <> would've been extremely
> helpful. Digging up the issues that lead to its obsoletion didn't reveal
> much reasoning, so I'm wondering why is was rendered obsolete, and whether
> there are alternative proposed mechanisms to replace it.
> Our use case is providing customers traffic delivery in
> customer-controlled subdomain of an Akamai domain. An example of that would
> be where and
> are customer-controlled.
> The concern is that each of these subdomains can set cookies on the
> domain, polluting the shared namespace, and sending
> cookies to domains outside their control.
> While Akamai can filter header based cookies on those domains, it cannot
> prevent JS from adding such cookies.
> We would be interested in a header that we can set, and which can prevent
> those subdomains from setting cookies on the parent domain, while enabling
> them to continue to set whatever cookies they need on the subdomain itself.
> When mentioning this use-case on the call yesterday, suborigins
> <> was raised as a potential
> solution for this use-case, but looking at the draft, I'm not sure how it
> would without making those subdomain documents cookie-averse, and make it
> so they can't set cookies from JS at all (which may not be compatible with
> current, non-malicious content on those domains).
> But it's fairly possible that I'm Holding It Wrong™.
> I also realize that we want to move away from cookies
> <>, which would be great,
> but in the {short,mid}-term they'd probably still be around, so better
> control mechanisms can be very helpful.
> To sum up, my questions are:
> * Why was Cookie Controls obsoleted?
> * Are there any alternatives? Otherwise, can it be revived?
> Cheers :)
> Yoav

Received on Friday, 17 August 2018 01:38:23 UTC