Add support for Partitioned Cookies

[amcasey]

Background and Motivation

CHIPS is a draft for incrementally moving away from third-party cookies to improve privacy.

Feature request: https://github.com/dotnet/aspnetcore/issues/53224 PR: https://github.com/dotnet/aspnetcore/pull/55371

Proposed API

namespace Microsoft.Net.Http.Headers;

public class SetCookieHeaderValue
{
+    public bool Partitioned { get; set; }
}

namespace Microsoft.AspNetCore.Http;

public class CookieBuilder
{
+    public virtual bool Partitioned { get; set; }
}

public class CookieOptions
{
+    public bool Partitioned { get; set; }
}

Usage Examples

IResponseCookies responseCookies;
responseCookies.Append("cookieName", "cookieValue", new CookieOptions
{
    Partitioned = true,
    SameSite = SameSiteMode.None,
    Secure = true,
});

You can also use a CookieBuilder, but that won't do any validation (as for Same-Site).

Alternative Designs

n/a

Risks

I understand the CHIPS spec isn't actually finalized.

[dotnet-policy-service[bot]]

Thank you for submitting this for API review. This will be reviewed by @dotnet/aspnet-api-review at the next meeting of the ASP.NET Core API Review group. Please ensure you take a look at the API review process documentation and ensure that:

• The PR contains changes to the reference-assembly that describe the API change. Or, you have included a snippet of reference-assembly-style code that illustrates the API change.
• The PR describes the impact to users, both positive (useful new APIs) and negative (breaking changes).
• Someone is assigned to "champion" this change in the meeting, and they understand the impact and design of the change.

[amcasey]

• Does CookiePolicyOptions need this?
  • We could do that for completeness, but let's hold off for now
• Why can't users just use Extensions?
  • Aside: extensions were new in 7.0
• Katana lacks extensions, so it will need its own new API
• Throwing might interact badly with proxies
  • Sites may not see the same Secure attribute that eventually reaches the browser
• There's no validation below ResponseCookies because that's the lowest layer with a logger
• Things will get unpleasant if the final name isn't "Partitioned" or the final type isn't "bool"

[amcasey]

API approved

namespace Microsoft.Net.Http.Headers;

public class SetCookieHeaderValue
{
+    public bool Partitioned { get; set; }
}

namespace Microsoft.AspNetCore.Http;

public class CookieBuilder
{
+    public virtual bool Partitioned { get; set; }
}

public class CookieOptions
{
+    public bool Partitioned { get; set; }
}

[dotnet-policy-service[bot]]

Thank you for submitting this for API review. This will be reviewed by @dotnet/aspnet-api-review at the next meeting of the ASP.NET Core API Review group. Please ensure you take a look at the API review process documentation and ensure that:

• The PR contains changes to the reference-assembly that describe the API change. Or, you have included a snippet of reference-assembly-style code that illustrates the API change.
• The PR describes the impact to users, both positive (useful new APIs) and negative (breaking changes).
• Someone is assigned to "champion" this change in the meeting, and they understand the impact and design of the change.

[amcasey]

(Updated labels on the wrong issue.)