Integrate with new draft cookie spec (draft-annevk-johannhof-httpbis-cookies/00+ε) #1807
Conversation
bvandersloot-mozilla
changed the title
bvandersloot-mozilla
force-pushed
the
main
branch
from
fb9259d to
4aa94f8
Compare
This is a concept that originated in the Storage Access API, where it has been stuck because of spec issues between Fetch and 6265bis. To un-logjam this, I've started whatwg/fetch#1807. That depends on this bit existing. This patch adds the bit, which remains false, and does nothing.
To un-logjam the cookie layering work, I've started whatwg/fetch#1807. That depends on this info to be piped into Fetch so we can actually specify in WHATWG what SameSite=Strict means. This patch plumbs that through on top-level navigatable fetches. This doesn't build because it relies upon the corresponding patch in Fetch. Let me know to land these.
|
This should be good, assuming whatwg/html#10991, whatwg/html#10990, and whatwg/html#8036 all land. |
| <a href=https://httpwg.org/specs/rfc6265.html#cookie>section 5.4</a> of | ||
| [[!COOKIES]]) with the user agent's cookie store and <var>httpRequest</var>'s | ||
| <a for=request>current URL</a>. | ||
| <p class=note>This permits some implementations to choose to not support cookies for some or all <var>httpRequest</var>s. |
There was a problem hiding this comment.
"This" here refers to the word "should" in the line below? I'm not a huge fan of that, both because it's a bit subtle and also because it doesn't account for the opposite case: All major browsers have settings / overrides that will allow cross-site cookies to be sent, so I think it would be preferable to insert a step that allows user agents to make an additional implementation defined choice about whether to include cookies or not. It might have to live in the append a request Cookie header algorithm.
Obviously this should be reserved for truly implementation-specific settings and anything else should be standardized here.
|
I think this PR series looks great to me overall, but I also think we should wait for HTTP WG adoption of the new cookies spec before seriously moving forward with this (should do the reviews now, though!) |
bvandersloot-mozilla
force-pushed
the
main
branch
from
4aa94f8 to
0994460
Compare
|
I've removed the partitioning bits from this, and will make them as a separate PR after we've merged this |
bvandersloot-mozilla
force-pushed
the
main
branch
from
0994460 to
aef5c9d
Compare
| return true: | ||
| <p>A <a for=/>request</a> has a <dfn for=request id=concept-request-redirect-taint>redirect-taint</dfn>, | ||
| which is "<code>None</code>", "<code>Cross-Origin</code>", or "<code>Cross-Site</code>". | ||
| <p>To get <a for=/>request</a> <var>request</var>'s <a>redirect-taint</a>: |
There was a problem hiding this comment.
Enum values, including internal enum values, are lowercase.
| <li><p>If <var>url</var>'s <a for=url>origin</a> is not <a>same origin</a> with | ||
| <var>lastURL</var>'s <a for=url>origin</a> and <var>request</var>'s <a for=request>origin</a> is | ||
| not <a>same origin</a> with <var>lastURL</var>'s <a for=url>origin</a>, then return true. | ||
| not <a>same origin</a> with <var>lastURL</var>'s <a for=url>origin</a>, | ||
| then let <var>crossOriginTaint</var> be "<code>Cross-Origin</code>".. |
There was a problem hiding this comment.
Should this be "same-site" or "same-site-cross-origin"?
Also, you overwrite a variable with "set" and "to". "Let ... be" is only for initializing.
Single dot at the end here too.
| @@ -2489,6 +2518,9 @@ this is also tracked internally using the request's <a for=request>timing allow | |||
| <p>A <a for=/>response</a> has an associated <dfn for=response>has-cross-origin-redirects</dfn> | |||
| (a boolean), which is initially false. | |||
|
|
|||
| <p>A <a for=/>response</a> has an associated <dfn for=response>has-cross-site-redirects</dfn> | |||
| (a boolean), which is initially false. | |||
There was a problem hiding this comment.
Hmm, it strikes me that we should turn these two into a "redirect taint" enum for responses?
| @@ -3292,6 +3324,72 @@ through TLS using ALPN. The protocol cannot be spoofed through HTTP requests in | |||
|
|
|||
| <h2 id=http-extensions>HTTP extensions</h2> | |||
|
|
|||
| <h3 id=cookie-header>`<code>Cookie</code>` header</h3> | |||
|
|
|||
| <p>The `<dfn export http-header id=http-cookie><code>Cookie</code></dfn>` | |||
There was a problem hiding this comment.
I don't think it's appropriate to <dfn> it. We should do this more akin to Content-Type.
|
|
||
| <div algorithm> | ||
| <p>To <dfn id=append-a-request-cookie-header>append a request `<code>Cookie</code>` header</dfn>, | ||
| given a <a for=/>request</a> <var>request</var>, run these steps: |
There was a problem hiding this comment.
| given a <a for=/>request</a> <var>request</var>, run these steps: | |
| given a <a for=/>request</a> <var>request</var>: |
Modern style is just "To DO X given Y y:"
| <p>To <dfn id=append-a-request-cookie-header>append a request `<code>Cookie</code>` header</dfn>, | ||
| given a <a for=/>request</a> <var>request</var>, run these steps: | ||
| <ol> | ||
| <li><p>Let |sameSite| be the result of [=determining the same-site mode=] for <var>request</var>. |
| <ol> | ||
| <li><p>Let |sameSite| be the result of [=determining the same-site mode=] for <var>request</var>. | ||
| <li><p>Let |isSecure| be false. | ||
| <li><p>If <var>request</var>'s <a for=request>client</a> is a <a>secure context</a>, then set |isSecure| to true. |
There was a problem hiding this comment.
Isn't it strictly based on the URL scheme?
|
|
||
| <p class=note>It is expected that the cookie store returns an ordered list of cookies | ||
| <li>If |cookies| <a for="list">is empty</a>, then return. | ||
| <li>Let |value| be the result of running <a>serialize cookies</a> given |cookies|. |
There was a problem hiding this comment.
| <li>Let |value| be the result of running <a>serialize cookies</a> given |cookies|. | |
| <li>Let |value| be the result of <a>serializing cookies</a> given |cookies|. |
| @@ -3292,6 +3324,72 @@ through TLS using ALPN. The protocol cannot be spoofed through HTTP requests in | |||
|
|
|||
| <h2 id=http-extensions>HTTP extensions</h2> | |||
|
|
|||
| <h3 id=cookie-header>`<code>Cookie</code>` header</h3> | |||
There was a problem hiding this comment.
I think we need a dedicated Cookies section and the the Cookie header can be one part of that.
The other part will need to tackle johannhof/draft-annevk-johannhof-httpbis-cookies#13. In particular defining requirements for user agents around clearing cookies and how those changes are propagated across documents. At least I think we want all of the architecture to be handled by Fetch and then have HTML, Cookie Store API, and Service Workers (although maybe no Service Workers changes are required? I don't recall) call into that.
Co-authored-by: Anne van Kesteren <[email protected]>
This adds algorithms to retrieve and store cookies via the new draft cookie spec, assuming we have some more partitioning arguments.
It is based on #1707, and in total it does the following:
This blocks on some HTML changes
This patch does the following on top of the work in #1707:
rebase to main
add logic for parsing and storing cookies
point to the IETF-hosted draft cookie spec
don't point to storage access API for has storage access, use a broken link instead
add a broken link to environment/ancestry
add a broken link for the request's initiator origin plumbed in from HTML. It'll be defined here, but we need to modify HTML so we can track it in the top.
add broken links to things that need to be added to HTML
fix some nits (e.g. "foo" -> "
foo")use [=secure context=] not scheme=https
use SameSite=None by default. Let's punt on that for now, given the current state of implementations and lack of clear path forward.
At least two implementers are interested (and none opposed):
Tests are written and can be reviewed and commented upon at:
Implementation bugs are filed:
MDN issue is filed: n/a
The top of this comment includes a clear commit message to use.
Preview | Diff