cookie-store icon indicating copy to clipboard operation
cookie-store copied to clipboard
verified publisher icon WICG

Add checks for not potentially trustworthy and "file" origins.

Open inexorabletash opened this issue 2 years ago • 4 comments

This aligns the spec with Chromium's behavior, namely that writes where the origin is not potentially trustworthy or is "file" scheme result in failure with a TypeError.

Resolves #193

Preview | Diff

inexorabletash avatar Jul 07 '23 23:07 inexorabletash

This PR (as currently written) is purely to align the spec text w/ Chromium behavior. That doesn't mean we should merge it though! Notably:

  • Chromium doesn't error on read. Should it?
  • document.cookie prevents writes if the document is "cookie-averse". Alignment might be nice?
  • Needs tests!

inexorabletash avatar Jul 07 '23 23:07 inexorabletash

I looked briefly at tests just to capture Chrome's behavior - given the [SecureContext] requirement for the API I'm drawing a blank on exercising the "not potentially trustworthy" check from WPT given https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy .

A manual test for file: is doable. Ideas welcome.

inexorabletash avatar Jul 10 '23 19:07 inexorabletash

@bakulf @rupinmittal what do Gecko and WebKit do here?

annevk avatar Jul 28 '25 14:07 annevk

Currently, in Gecko, the CookieStore API is not available on potentially untrustworthy origins or pages loaded using the "file" scheme.

bakulf avatar Jul 28 '25 14:07 bakulf