Integrate with new draft cookie spec (draft-annevk-johannhof-httpbis-cookies/00+ε) #1807
Conversation
bvandersloot-mozilla
changed the title
bvandersloot-mozilla
force-pushed
the
main
branch
from
fb9259d to
4aa94f8
Compare
This is a concept that originated in the Storage Access API, where it has been stuck because of spec issues between Fetch and 6265bis. To un-logjam this, I've started whatwg/fetch#1807. That depends on this bit existing. This patch adds the bit, which remains false, and does nothing.
To un-logjam the cookie layering work, I've started whatwg/fetch#1807. That depends on this info to be piped into Fetch so we can actually specify in WHATWG what SameSite=Strict means. This patch plumbs that through on top-level navigatable fetches. This doesn't build because it relies upon the corresponding patch in Fetch. Let me know to land these.
|
This should be good, assuming whatwg/html#10991, whatwg/html#10990, and whatwg/html#8036 all land. |
|
I think this PR series looks great to me overall, but I also think we should wait for HTTP WG adoption of the new cookies spec before seriously moving forward with this (should do the reviews now, though!) |
bvandersloot-mozilla
force-pushed
the
main
branch
from
4aa94f8 to
0994460
Compare
|
I've removed the partitioning bits from this, and will make them as a separate PR after we've merged this |
bvandersloot-mozilla
force-pushed
the
main
branch
from
0994460 to
aef5c9d
Compare
|
Indentation is still a mess- I'll get to that next. |
There was a problem hiding this comment.
You need to coordinate with @DCtheTall what additional calls into the IETF draft to make. This is not handling clearing cookies after storing, clearing cookies from UI, or clearing cookies periodically. We need to have some wording for all of that in the "Cookies" section.
I think we need some cookie spec updates to be able to do the operations of clearing from UI and clearing periodically. I'll poke down the stack on that. |
bvandersloot-mozilla
force-pushed
the
main
branch
from
08054db to
72d8ecf
Compare
This is a concept that originated in the Storage Access API, where it has been stuck because of spec issues between Fetch and 6265bis. To un-logjam this, I've started whatwg/fetch#1807. That depends on this bit existing. This patch adds the bit, which remains false, and does nothing.
Co-Authored-By: Anne van Kesteren <[email protected]>
This helps with the HTTP WG's layered cookies draft integration work. whatwg/fetch#1807 depends on this state being passed in so we can define SameSite=Strict properly.
This adds algorithms to retrieve and store cookies via the new draft cookie spec, assuming we have some more partitioning arguments.
It is based on #1707, and in total it does the following:
This blocks on some HTML changes
This patch does the following on top of the work in #1707:
rebase to main
add logic for parsing and storing cookies
point to the IETF-hosted draft cookie spec
don't point to storage access API for has storage access, use a broken link instead
add a broken link to environment/ancestry
add a broken link for the request's initiator origin plumbed in from HTML. It'll be defined here, but we need to modify HTML so we can track it in the top.
add broken links to things that need to be added to HTML
fix some nits (e.g. "foo" -> "
foo")use [=secure context=] not scheme=https
use SameSite=None by default. Let's punt on that for now, given the current state of implementations and lack of clear path forward.
At least two implementers are interested (and none opposed):
[x] Mozilla
[x] Apple
[x] Google
Tests are written and can be reviewed and commented upon at:
Implementation bugs are filed:
MDN issue is filed: n/a
The top of this comment includes a clear commit message to use.
Preview | Diff