-
Notifications
You must be signed in to change notification settings - Fork 146
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cookie layering #2084
Comments
Closed
Just adding my support (and couple tags) for this proposal, I like the idea of putting pieces in the layers they belong. |
#1593 has some good ideas for this. |
This was referenced Sep 25, 2023
1 task
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
While most cookies don't have layers in my experience (turns out that is limited), some layering would be appropriate for the HTTP State Management Mechanism. I touched upon this last year in #1430, but thought I would raise it again after the W3C Privacy CG had a discussion about this yesterday.
I thought I'd describe my idea for how this could work as a conversation starter. But to be clear, I'm open to alternatives. What I'd like to see is that the cookie specification describes cookies (as a concept/object) and how to parse and serialize
Set-Cookie
andCookie
headers. We'd continue to define new attributes and anything syntax-related in the cookie specification. (Through revisions, essentially as it's maintained now.)That leaves storage and some amount of logic around that. For web browsers in particular we need to get a better hold of that to define
document.cookie
, Fetch, and in general websites better. That doesn't necessarily mean that the cookie specification shouldn't touch them at all and I think it should continue to describe a default model there, especially given non-web-browser clients. But web browser specifications (Fetch, HTML) should be allowed to define a model that integrates more tightly, perhaps as long as certain base requirements in the cookie specification aren't violated. In turn, that would also allow the cookie specification itself to be more agnostic of browsers as the current draft contains a lot of logic particular to subresources of HTML documents, workers, etc.Any thoughts about this would be greatly appreciated!
The text was updated successfully, but these errors were encountered: