EAT Cookies

[mnot]

When we started 6265bis, we gained WG consensus to incorporate Expiring Aggressively Those HTTP Cookies.

[johnwilander]

Yes, this seems to have been one of the main drivers for a new version of the spec. Since this issue was opened just a month ago, I assume no detailed decisions have been made on how the incorporation should happen (I saw the comment that it may be incorporated non-verbatim).

[mikewest]

I don't think that any vendor has made substantial progress in this space, and I don't think waiting for someone to ship something is going to meet the goal of finishing this document in Q1.

Would it be reasonable to add an aspirational section to the Security Considerations that points to @martinthomson's EAT draft, and my https://github.com/mikewest/cookies-over-http-bad as potential directions that user agents should feel encouraged to explore? Or should we punt this further down the road?

[martinthomson]

This was always going to be aspirational. Recognizing that maximum retention lifetimes are a question of policy means that you are not going to get much out of these specs. I would prefer to look at the main body of the document though, as your suggestion says.