Add checks for not potentially trustworthy and "file" origins.

WICG / cookie-store

Asynchronous access to cookies from JavaScript

https://wicg.github.io/cookie-store/

Apache License 2.0

143 stars 35 forks source link

Add checks for not potentially trustworthy and "file" origins. #219

Open inexorabletash opened 1 year ago

inexorabletash commented 1 year ago

This aligns the spec with Chromium's behavior, namely that writes where the origin is not potentially trustworthy or is "file" scheme result in failure with a TypeError.

Resolves #193

Preview | Diff

inexorabletash commented 1 year ago

This PR (as currently written) is purely to align the spec text w/ Chromium behavior. That doesn't mean we should merge it though! Notably:

Chromium doesn't error on read. Should it?
document.cookie prevents writes if the document is "cookie-averse". Alignment might be nice?
Needs tests!

inexorabletash commented 1 year ago

I looked briefly at tests just to capture Chrome's behavior - given the [SecureContext] requirement for the API I'm drawing a blank on exercising the "not potentially trustworthy" check from WPT given https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy .

A manual test for file: is doable. Ideas welcome.