standards-positions
standards-positions copied to clipboard
Cookie Store API
Request for position on an emerging web specification
- WebKittens who can provide input:
Information about the spec
- Spec Title: Cookie Store API
- Spec URL: https://wicg.github.io/cookie-store/
- GitHub repository: https://github.com/WICG/cookie-store
Design reviews and vendor positions
- Mozilla standards-positions issue: https://github.com/mozilla/standards-positions/issues/94
There is also a TAG review request here: https://github.com/w3ctag/design-reviews/issues/290
This comment by Ehsan on the Mozilla issue still seems applicable and relevant:
Basically I think this API mostly achieves only one of the motivations stated in https://wicg.github.io/cookie-store/#intro-motivation, that is, providing cookie access to service workers, but as far as I can see doesn't really help address the other points mentioned in the Motivation section, such as lack of interoperability in processing cookies among browsers and divergent specs and UA behaviours. Perhaps I'm missing something but I believe if all major browsers just adopted the current Cookie Store API, it would help with none of the problems this research is highlighting for example: http://inikulin.github.io/cookie-compat/.
Another thing that makes me uncomfortable with the existing API is that it provides scripting access to new data about cookies which the platform currently doesn't provide (
domain
,path
,expires
,secure
, andsamesite
). It is unclear to me if access to this extra data is completely OK, especially given the fact that it allows scripts to examine the properties of cookies set by scripts coming from another origin. The current spec is silent on any privacy implications. But I believe if Gecko would one day consider implementing this spec with the intention of shipping it, we should probably have a discussion about whether we'd like to expose this new data to the Web platform first.
Based on that I'm adding concerns: API design
, concerns: complexity
, and concerns: integration
.
Marking this as blocked
until the identified issues are addressed.
Is https://bugs.webkit.org/show_bug.cgi?id=258504 an indication that WebKit's position has changed?
I don’t know if we’ve had a chance to communicate our latest analysis but it’s important for us that no cookie metadata is exposed through this API. The old document.cookie API provides key+value and that’s the only thing that should be exposed. User agents should be at liberty to honor, change, or not honor cookie directives, and webpages should not be able to check which decision the user agent made. This is important to be able to protect the user and enforce a cookie policy without websites pushing users to change settings.
Yeah, couple of things to add to what John said above:
- There is no change in position as we do not have a position.
- https://github.com/WebKit/standards-positions/issues/36#issuecomment-1282266977 still stands.
- We see value in providing asynchronous access to cookies (synchronous access to network state is very far from ideal), provided the capabilities of
document.cookie
are not exceeded. - Parity with
document.cookie
as a goal resolves some of the concerns as not being able to represent all cookies would no longer be a problem, for instance. It would just be how API cookies "work". - We're experimenting to see if a subset of the Cookie Store API can meet all these goals. (In particular when getting a UTF-8-compatible cookie you can only see its value. Not its various attributes.)
It would be interesting to know if @inexorabletash, @ayuishii, et al. could see eventual convergence on this set of ideas so we might all end up with the same API.
Modulo compatibility with deployed content, converging on the above seems reasonable.
Usage of the API per https://chromestatus.com/metrics/feature/timeline/popularity/2510 is higher than I would have expected, so research (as you're doing) would be necessary to ensure a subset of what Chrome currently ships is feasible.
The release notes for 17.2 say "Added the change event for the Cookie Store API. (113809948)" It would be good to get some clarity on what parts of the API are supported. https://developer.apple.com/documentation/safari-release-notes/safari-17_2-release-notes
Given that the API is still behind a "testable" flag, I have a feeling the mention in the 17.2 release notes is a mistake and should be removed.