Disable <meta> Set-Cookie

[joelweinberger]

This is to address #36. @devd, can you review?

[devd]

hmm .. shouldn't this just happen automatically by virtue of being a separate origin? does the sandbox spec also say "disable meta cookie" explicitly?

[joelweinberger]

Great question. I believe sandbox is taken care of because step 2 of https://html.spec.whatwg.org/multipage/semantics.html#attr-meta-http-equiv-set-cookie reads:

Act as if receiving a set-cookie-string for the document's URL via a "non-HTTP" API, consisting of the value of the element's content attribute encoded as UTF-8. [COOKIES] [ENCODING]

and I believe that the document's URL in this case will end up being the suborigin-encoded URL, and we don't want to "set a cookie" on that since, as discussed in #27, we decided to associate cookies with the physical origin.

[joelweinberger]

Also, to clarify, https://tools.ietf.org/html/rfc6265 takes care of receiving a Set-Cookie header going to the physical origin since it's defined by the request-uri which will be the physical origin.

[annevk]

Ideally <meta http-equiv=Set-Cookie> and document.cookie are governed by the same thing, since they more or less work identically (except the latter also having a getter).

[joelweinberger]

Per your suggestion from a while back, @annevk, I made the behavior for cookies make the Document cookie-averse. I was under the impression that cookie-averseness only affected the JavaScript API, and I was trying to address the case, too. Am I misreading cookie-averse behavior? Does it also restrict ? Intuitively, it seems like it ought to.

cc @bsittler

[joelweinberger]

From reading it again, nothing in https://html.spec.whatwg.org/#cookie-averse-document-object seems to indicate that should be ignored, and nothing in https://html.spec.whatwg.org/#attr-meta-http-equiv-set-cookie says anything about cookie-averse documents. This does seem surprising to me.

[annevk]

Yeah, that might just be a bug. Lots of details around cookies still need to be fixed.

[joelweinberger]

Ah, cool. I'll update this CL to change the Set-Cookie processing to account for cookie-averse documents, but I'll also file a WHATWG bug since that seems like behavior that should be updated independent of suborigins.

[joelweinberger]

Let me know if this update looks good to you. If so, I'll file a bug on HTML pointing at this change to suggest it.

[annevk]

That looks reasonable, thanks.

[joelweinberger]

Great! I've submitted https://github.com/whatwg/html/issues/1950 to propose this change, but in the meantime, @devd, let me know if it looks good because I'd like this to be explicit in our spec in the meantime.