Open mrbkap opened 7 years ago
Rob--W
commented
1 year ago FYI this spec bug was filed as a follow-up to https://bugzilla.mozilla.org/show_bug.cgi?id=1325923#c40
As for "Mozilla has explicitly supported cookies for file: URIs for years and to follow this would change that" -> this has indeed been the case for at least 2 decades, per https://bugzilla.mozilla.org/show_bug.cgi?id=209964
annevk
commented
1 year ago As I just mentioned in another issue we're pretty bad about file: URLs in general. It's also not clear to me what useful thing we can say here as there are many aspects of cookies that are a poor fit for these URLs.
I suppose we could try to more explicitly declare file: URLs as mostly out-of-scope.
Currently, the definition of cookie averse document objects specify that documents whose URL scheme is not a "network scheme" should be considered cookie averse. The spec then checks if a document is cookie averse the cookie getter and setter. This means that documents loaded from file: URIs are unable to get or set cookies.
Mozilla has explicitly supported cookies for file: URIs for years and to follow this would change that. Currently, we let file: URIs have an empty base domain, which works because we don't allow cookies from any other "no domain" URIs.
I did some testing and currently Firefox, Edge, and Safari allow cookies on file: URIs. Chrome is the odd browser out that doesn't allow them.
I think the spec should allow cookies to be set on file: URIs.