annevk
commented
2 months ago I think this use case makes sense, but we should probably standardize this in the IETF. E.g., Delete-Cookie: name1, name2.
Open yoavweiss opened 2 months ago
annevk
commented
2 months ago I think this use case makes sense, but we should probably standardize this in the IETF. E.g., Delete-Cookie: name1, name2.
johannhof
commented
2 months ago FYI @dcthetall @sbingler
I think this could be useful, I wonder if there are any Privacy / Security considerations from clearing individual cookies without knowing their domain / path (effectively being able to override these cookies), but alas this seems already possible with CSD? (cc @arturjanc, @ddworken)
arturjanc
commented
1 month ago I'm fairly sure that being able to clear / override individual cookies is already a capability that exists in the platform. If you control an arbitrary HTTP header on a sibling subdomain you'll generally be able to overflow the parent domain's cookie jar and remove or overwrite arbitrary cookies. So I don't think that adding this as an explicit capability would open applications up to any new risks.
Over the years, large sites and platform can accumulate "cookie cruft" - cookies that they observe coming from users, but ones that are no longer actively used and don't exist in their current codebase.
Deleting such cookies is possible by setting their expiry date to one in the past. At the same time, in order to do that, one needs to know the "domain" and "path" parameters with which they were set, which is not something that can be passively observed on the server side.
It'd be useful to have a way to clear specific cookie names regardless of their path and domain.
/cc @colinbendell