Closed DCtheTall closed 1 year ago
This PR is a change to the CookieStore API spec to support partitioned cookies.
These changes could be used to support the Partitioned attribute, a.k.a. CHIPS.
There is an open PR in the CHIPS repository adding a note about these changes to the explainer.
One quick addendum: if user agents implement service worker partitioning (ref) then the cookie's partition key should be the site of the worker's partition key.
If user agents don't implement storage partitioning, then partitioned cookies may need to be blocked in service workers. Otherwise, service workers could use partitioned cookies as a cross-site identifier. See the CHIPS explainer for more detail.
Service worker partitioning is also mentioned in more detail in this proposal.
Wow, this fell off my radar. Is this just waiting for final review/merge, or is there further discussion that should happen first?
BTW, I was playing with cookieStore/document.cookie interop and it took me a while to realize that with document.cookie "partitioned" is ignored unless "path" and "secure" are also specified, which are the default with cookieStore but of course not document.cookie. Do you think we should add an example in the "Modifying Cookies" section, or is this well known?
BTW, I was playing with cookieStore/document.cookie interop and it took me a while to realize that with document.cookie "partitioned" is ignored unless "path" and "secure" are also specified
Tad correction, you only need the "secure" attribute set. The "path" attribute is not necessary 😄
Do you think we should add an example in the "Modifying Cookies" section, or is this well known?
The Secure requirement is a well-known part of the proposal for the definition of Partitioned for RFC6265bis.
BTW, I was playing with cookieStore/document.cookie interop and it took me a while to realize that with document.cookie "partitioned" is ignored unless "path" and "secure" are also specified
Tad correction, you only need the "secure" attribute set. The "path" attribute is not necessary 😄
Thanks for clarifying! https://source.chromium.org/chromium/chromium/src/+/main:net/cookies/canonical_cookie_unittest.cc;l=731 mislead me a bit I guess.
Thanks for clarifying! source.chromium.org/chromium/chromium/src/+/main:net/cookies/canonical_cookie_unittest.cc;l=731 mislead me a bit I guess.
Ah, this is because Path=/ is required for the Host- prefix, which that cookie also uses. I can see why that is initially confusing, especially considering Partitioned was originally designed to require Host- but we loosened it to only require Secure 😄
Preview | Diff
Preview | Diff