search

patrickkettner / cookie-change-events

small extension to document.cookie that allows for event listeners
https://patrickkettner.github.io/cookie-change-events/
Other
22 stars 3 forks source link

Implicit vs. explicit Domain attribute, port number #35

Open bsittler opened 7 years ago

bsittler commented 7 years ago

At present, many widely-used browsers (though not all of them) treat a cookie with no Domain attribute differently than an a cookie with a Domain attribute explicitly matching the host - specifically, Domain-less cookies will not propagate to subdomains whereas explicit-Domain cookies will. How will such browsers report these two distinct Domain values (implicit vs. explicit) in the getters and/or change events?

Also, browsers differ somewhat in how they handle cookies on non-default port numbers. Is port number reflected in this API, or not? Are cookies ever implicitly or explicitly port-specific? What happens when Domain includes a port number? Are explicit ports matching the default port for the protocol equivalent to no port or not?

patrickkettner commented 7 years ago

How will such browsers report these two distinct Domain values (implicit vs. explicit) in the getters and/or change events?

do you mean what would the domain field on those cookies be reported as?The change events would fire on domains by which the cookie is available and readable via script. So if the domain is specified, and subdomains do not have access to that cookie, and that cookie changes, a user-agent should not fire a cookie change event on that page. The events should be scoped to events that are observable by that page.

Also, browsers differ somewhat in how they handle cookies on non-default port numbers.

How so?

Is port number reflected in this API, or not?

By the current design, UAs should be returning the string (or substring, if using the serializedCookie string) that was used to set the value. Do you feel like it should be something else?

Are cookies ever implicitly or explicitly port-specific? What happens when Domain includes a port number? Are explicit ports matching the default port for the protocol equivalent to no port or not?

Feels like that is at the rfc 6265 level, rather than here, right?

bsittler commented 7 years ago

Apologies, I should have been clearer. What I meant is, what should be reported when reading the cookie jar after two cookies have been written like this on a https://example.org/test.html:

Set-Cookie: TEST=domainless; path=/ Set-Cookie: TEST=domainful; path=/; domain=example.org

Right now the next request sent to https://example.org by Chrome will have:

Cookie: TEST=domainless; TEST=domainful

However the next request sent by Chrome to a subdomain https://www.example.org will have only:

Cookie: TEST=domainful

What will the reported "domain" field be for each cookie?

Edit: In user interface, Chrome represents the "domainful" cookie as written to ".example.org" and the "domainless" one as written to "example.org", but this representation is not usable in e.g. Set-Cookie or a write to document.cookie, and presumably whatever the new cookie API reports to readers/in event notifications should match what is given when creating/updating/expiring a cookie through the new cookie-writing interface.