Clear cookie misses extra arguments

[enolfc]

Similarly to set_cookie, the clear_cookie function should be able to take extra cookie arguments, otherwise the browser may refuse to clear the cookie. This is happening at least for the SameSite attribute.

[bdarnell]

Hmm, that's surprising. Which browser works like this?

According to the spec (RFC 6265bis-05 section 5.4 step 17), only the name, domain, and path matter for matching cookies for deletion.

[enolfc]

This happens at least on Brave (even with shields off) version 1.13.82 Chromium: 85.0.4183.83 (Official Build) (64-bit) and chrome.

Error reported is:

This Set-Cookie didn't specify a "SameSite" attribute and was defaulted to "SameSite=Lax," and was blocked because it came from a cross-site response which was not the response to a top-level navigation. The Set-Cookie had to have been set with "SameSite=None" to enable cross-site usage.

[bdarnell]

Ah, OK. SameSite cookies introduce multiple special cases here:

• The fact that SameSite defaults to lax means that you must specify SameSite=None when setting or deleting a cookie if the request doesn't count as "same site".
• Additionally, when setting SameSite=None, you must also set Secure. reference

The former rule can technically be found in the RFC, not in the storage model section, but in the fact that Set-Cookie headers that fail SameSite validation get dropped before processing. The latter rule is documented in MDN although I can't find anything about it in the RFC.

So clear_cookie needs to support at least those two arguments, which means it should probably use **kwargs to support everything accepted by set_cookie. This unfortunately breaks RequestHandler.clear_all_cookies for any application that needs to use SameSite=None because there is no way for the application to know which cookies should have this attribute.