[6265bis] Refactor cookie retrieval algorithm to support non-HTTP APIs #1428
Conversation
draft-ietf-httpbis-rfc6265bis.md
Outdated
| If a user agent does return cookies for a given call to a "non-HTTP" API with an | ||
| associated Document, then the user agent MUST compute the cookie-string following | ||
| the algorithm defined in {{retrieval-algorithm}, whereby the retrieval-uri is the | ||
| associated Document's URL. The retrieval is same-site if the Document's "site for |
There was a problem hiding this comment.
Should we reference https://dom.spec.whatwg.org/#dom-document-url somewhere (for Document's URL)?
There was a problem hiding this comment.
I don't think that's accurate. See the open issues against HTML. There's a document cookie URL that browsers use.
There was a problem hiding this comment.
@annevk you mean whatwg/html#2641 and whatwg/html#332? Are there others?
There was a problem hiding this comment.
Yeah, those seem the most relevant here. https://github.com/whatwg/html/labels/topic%3A%20cookie is the full list.
There was a problem hiding this comment.
@annevk it seems like the best thing to do then is to get a cookie URL defined in HTML that captures these nuances. I've updated the reference here to assume that already exists, and can help get those changes into HTML.
There was a problem hiding this comment.
It seems reasonable to move this lookup to HTML. (I hope we have someone willing to do that work though.) We probably also want to move the cookie store into Fetch eventually so partitioning and such can be defined better.
(There's also a proposal for a cookie API that would offer lower level access than a string and also from workers. That would also need to poke at the store directly.)
draft-ietf-httpbis-rfc6265bis.md
Outdated
| If a user agent does return cookies for a given call to a "non-HTTP" API with an | ||
| associated Document, then the user agent MUST compute the cookie-string following | ||
| the algorithm defined in {{retrieval-algorithm}, whereby the retrieval-uri is the | ||
| associated Document's URL. The retrieval is same-site if the Document's "site for |
There was a problem hiding this comment.
I don't think that's accurate. See the open issues against HTML. There's a document cookie URL that browsers use.
| @@ -1629,6 +1649,8 @@ the user agent might wish to try using the UTF-8 character encoding {{RFC3629}} | |||
| to decode the octet sequence. This decoding might fail, however, because not | |||
| every sequence of octets is valid UTF-8. | |||
There was a problem hiding this comment.
This also does not match what actually happens. Only Chrome can have such bytes at the moment and Chrome drops the cookies it cannot serialize, but does serialize the others.
To be clear, I only meant the
I can.
We'd like to keep this revision scoped to interop. Would you mind to file an issue with a little more detail on what parts you think should move to fetch? |
|
Thanks for clarifying, I misunderstood. I don't really have strong opinions on how it's organized as long as all possible scenarios have clear steps to follow. I guess there's a couple potential things with the lookup algorithm:
I'll file an issue on Fetch integration later. |
Done. I decided to keep that section, but even still it makes sense to include reference to an argument in the algorithm.
I filed #1502 for this. If you have more context to share, please do!
This is out of scope. |
There was a problem hiding this comment.
Thanks for the changes! Looking really good.
I just had one suggestion for refactoring the algorithm parameters slightly: if you make the URI, same-site status, and HTTP/non-HTTP bit all properties of the retrieval, you can just pass the cookie store and the retrieval into the algorithm, and refer to "the retrieval's URI", "the retrieval's same-site status" etc. I think it makes sense semantically to associate them with the retrieval since every retrieval must have those properties.
(also, adds the changelog for httpwg#1428)
These tests were temporarily disabled due to an incompatibility between Firefox and Chromium. Now that this has been resolved by a spec PR (httpwg/http-extensions#1428), the tests can be re-enabled. Additionally, one of the tests was adjusted to reflect the behavior for redirects specified in httpwg/http-extensions#1348, which is enabled as part of --enable-experimental-web-platform-features. Bug: 1074441 Change-Id: I7e1deadf0c080927cc328b54d300d5d418fa5c6d
These tests were temporarily disabled due to an incompatibility between Firefox and Chromium. Now that this has been resolved by a spec PR (httpwg/http-extensions#1428), the tests can be re-enabled. Additionally, one of the tests was adjusted to reflect the behavior for redirects specified in httpwg/http-extensions#1348, which is enabled as part of --enable-experimental-web-platform-features. Bug: 1074441 Change-Id: I7e1deadf0c080927cc328b54d300d5d418fa5c6d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3054294 Reviewed-by: Steven Bingler <bingler@chromium.org> Commit-Queue: Lily Chen <chlily@chromium.org> Cr-Commit-Position: refs/heads/master@{#905421}
These tests were temporarily disabled due to an incompatibility between Firefox and Chromium. Now that this has been resolved by a spec PR (httpwg/http-extensions#1428), the tests can be re-enabled. Additionally, one of the tests was adjusted to reflect the behavior for redirects specified in httpwg/http-extensions#1348, which is enabled as part of --enable-experimental-web-platform-features. Bug: 1074441 Change-Id: I7e1deadf0c080927cc328b54d300d5d418fa5c6d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3054294 Reviewed-by: Steven Bingler <bingler@chromium.org> Commit-Queue: Lily Chen <chlily@chromium.org> Cr-Commit-Position: refs/heads/master@{#905421}
These tests were temporarily disabled due to an incompatibility between Firefox and Chromium. Now that this has been resolved by a spec PR (httpwg/http-extensions#1428), the tests can be re-enabled. Additionally, one of the tests was adjusted to reflect the behavior for redirects specified in httpwg/http-extensions#1348, which is enabled as part of --enable-experimental-web-platform-features. Bug: 1074441 Change-Id: I7e1deadf0c080927cc328b54d300d5d418fa5c6d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3054294 Reviewed-by: Steven Bingler <bingler@chromium.org> Commit-Queue: Lily Chen <chlily@chromium.org> Cr-Commit-Position: refs/heads/master@{#905421}
…=testonly Automatic update from web-platform-tests Re-enable SameSite cookie iframe WPTs These tests were temporarily disabled due to an incompatibility between Firefox and Chromium. Now that this has been resolved by a spec PR (httpwg/http-extensions#1428), the tests can be re-enabled. Additionally, one of the tests was adjusted to reflect the behavior for redirects specified in httpwg/http-extensions#1348, which is enabled as part of --enable-experimental-web-platform-features. Bug: 1074441 Change-Id: I7e1deadf0c080927cc328b54d300d5d418fa5c6d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3054294 Reviewed-by: Steven Bingler <bingler@chromium.org> Commit-Queue: Lily Chen <chlily@chromium.org> Cr-Commit-Position: refs/heads/master@{#905421} -- wpt-commits: d4deee9e5303f3c09f65bc0d40783cc18a30606e wpt-pr: 29792
…=testonly Automatic update from web-platform-tests Re-enable SameSite cookie iframe WPTs These tests were temporarily disabled due to an incompatibility between Firefox and Chromium. Now that this has been resolved by a spec PR (httpwg/http-extensions#1428), the tests can be re-enabled. Additionally, one of the tests was adjusted to reflect the behavior for redirects specified in httpwg/http-extensions#1348, which is enabled as part of --enable-experimental-web-platform-features. Bug: 1074441 Change-Id: I7e1deadf0c080927cc328b54d300d5d418fa5c6d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3054294 Reviewed-by: Steven Bingler <bingler@chromium.org> Commit-Queue: Lily Chen <chlily@chromium.org> Cr-Commit-Position: refs/heads/master@{#905421} -- wpt-commits: d4deee9e5303f3c09f65bc0d40783cc18a30606e wpt-pr: 29792
…=testonly Automatic update from web-platform-tests Re-enable SameSite cookie iframe WPTs These tests were temporarily disabled due to an incompatibility between Firefox and Chromium. Now that this has been resolved by a spec PR (httpwg/http-extensions#1428), the tests can be re-enabled. Additionally, one of the tests was adjusted to reflect the behavior for redirects specified in httpwg/http-extensions#1348, which is enabled as part of --enable-experimental-web-platform-features. Bug: 1074441 Change-Id: I7e1deadf0c080927cc328b54d300d5d418fa5c6d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3054294 Reviewed-by: Steven Bingler <bingler@chromium.org> Commit-Queue: Lily Chen <chlily@chromium.org> Cr-Commit-Position: refs/heads/master@{#905421} -- wpt-commits: d4deee9e5303f3c09f65bc0d40783cc18a30606e wpt-pr: 29792
…=testonly Automatic update from web-platform-tests Re-enable SameSite cookie iframe WPTs These tests were temporarily disabled due to an incompatibility between Firefox and Chromium. Now that this has been resolved by a spec PR (httpwg/http-extensions#1428), the tests can be re-enabled. Additionally, one of the tests was adjusted to reflect the behavior for redirects specified in httpwg/http-extensions#1348, which is enabled as part of --enable-experimental-web-platform-features. Bug: 1074441 Change-Id: I7e1deadf0c080927cc328b54d300d5d418fa5c6d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3054294 Reviewed-by: Steven Bingler <bingler@chromium.org> Commit-Queue: Lily Chen <chlily@chromium.org> Cr-Commit-Position: refs/heads/master@{#905421} -- wpt-commits: d4deee9e5303f3c09f65bc0d40783cc18a30606e wpt-pr: 29792
This PR refactors the cookie retrieval algorithm that formerly lived in
The Cookie Headersection to a newRetrieval Modelsection that mirrors the more genericStorage Modelsection for cookie setting.This didn't require too much legwork in the end. Of note, I've moved us over from working with a request-target to target URI. A request target may not be a full URI (i.e., the "origin form" is a path + query), but we want a full URI so we can call the retrieval algorithm with a Document's URI for non-HTTP APIs. This was mostly a drop-in replacement in the rest of the doc, but I did remove one section that elaborated on extracting a path from the different forms of a request target.
I'm wondering whether we want to keep the
non-HTTP APIsection at all. This only specifies one type of non-HTTP API (i.e., those with an associated Document); I'm not sure if there are any other non-HTTP APIs that user agents implement? And that functionality is already specified in more detail in HTML here. I wonder whether it's better to just update HTML with a reference to the new Retrieval Algorithm once we release a new version of the draft. cc/ @annevk for input.Addresses #1233, #769, and #1163.