[whatwg] HTML Cookie API from Garrett Smith on 2010-02-25 (public-whatwg-archive@w3.org from February 2010)

From: Garrett Smith <dhtmlkitchen@gmail.com>
Date: Wed, 24 Feb 2010 16:30:31 -0800
Message-ID: <c9e12661002241630v290ea443q52d4a23fbeb40af9@mail.gmail.com>

On Wed, Feb 24, 2010 at 4:17 PM, Adam Barth <w3c at adambarth.com> wrote:
> On Wed, Feb 24, 2010 at 4:03 PM, Garrett Smith <dhtmlkitchen at gmail.com> wrote:
>> On Tue, Feb 23, 2010 at 8:56 PM, Adam Barth <w3c at adambarth.com> wrote:
>>> The document.cookie API is kind of terrible. ?Web developers shouldn't
>>> have to parse a cookie-string or prepare a properly formated
>>> set-cookie-string. ?Here's a proposal for an HTML cookie API that
>>> isn't as terrible:
>>>
>>> https://docs.google.com/Doc?docid=0AZpchfQ5mBrEZGQ0cDh3YzRfMTRmdHFma21kMg&hl=en
>>>
>>> I'd like to propose we include this API in a future version of HTML.
>>> As always, feedback welcome.
>>>
>> | Because HttpOnly cookies are inaccessible to script, the |httpOnly|
>> | attribute will usually be false.
>>
>> Usually? When ever would HttpOnly be true?
>
> For example, if the HTML document is running with higher privileges
> because its effective security origin isn't a (scheme, host, port)
> tuple. ?This can occur, e.g., in Firefox when running with "chrome"
> privileges.
>
>> Instead of "array like", I would like to rather have a NamedCookieMap,
>> which is sort of like a NamedNodeMap that the cookies can be retrieved
>> by an item or namedItem.
>
> That API design assumes that there's only one cookie with a given name
> in each cookie-string. ?Unfortunately, that is not a valid assumption.
>

That is only true in that that example assumes that each cookie is
named. It would be entirely possible for the value to be instead a
collection, as in:

var x = document.forms[0].elements["radioName"]

- and the result is that x could be either an element or a collection
of elements.

>> Where is the argument for making the API async?
>
> Please see the discussion earlier in this thread.
>
Can you be more specific? I see:

| I really think the API should be asynchronous, as to avoid the mess
| that .localStorage currently is.

But I don't know if that's what you meant by "please see earlier".

>> Cookies have been synchronous for longer than I have been writing
>> javascript and to my knowledge, nobody has ever complained of that
>> being a problem.
>
> In fact, I've heard a great many complaints about this recently
> (particularly from Darin Fisher), which is part of what prompted me to
> make this proposal.
>

Is there a link to that? I missed it.

>> Asynchronous cookies that would mean that cookie setting tests would be harder.
>
> No one is suggesting removing the current document.cookie API.

Nobody is suggesting you change your tires. Why bring it up?

Garrett

Received on Wednesday, 24 February 2010 16:30:31 UTC