Intent to Ship: Clear-Site-Data header
Martin Šrámek
Contact emails
msr...@chromium.org, mk...@chromium.orgSpec
https://w3c.github.io/webappsec-clear-site-data/
Summary
The Clear-Site-Data header allows a secure origin to send a header requesting the deletion of its own browsing data. Storage and cache can be deleted for the origin, cookies are deleted for the entire eTLD+1.
Link to “Intent to Implement” blink-dev discussion
What has changed since:
The header is supported for subresource requests as well (not just for navigations).
The header is not respected when returned by service workers, or when the credentials mode does not allow modifications to cookies (kudos to mme...@chromium.org for pointing out these issues).
The "storage" section now only includes storage datatypes that are writable/readable by web, but not ones kept by the embedder (such as site engagement).
Is this feature supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
Yes.
Demo link
A demo is available here. Currently, it’s necessary to download it and run the python server locally. I’ll see what I can do to get it hosted somewhere.
Debuggability
Every occurrence of the header produces a console output, stating that data is being cleared, or explaining why the header could not be parsed.
Interoperability and Compatibility Risk
Edge: No signals
Firefox: Positive
Safari: No signals
Web developers: Positive (Github has been experimenting for months, Google products have been patiently waiting much longer)
Dropbox (among others) noted that the categories in the spec at the moment are fairly broad, and we expect we'll want to introduce more granular filters in the future (to, for example, allow removing Service Workers but not `localStorage`, or all but one critical cookie). The syntax is extensible (unknown values are simply ignored), and forward-compatible with a more complicated JSON representation if we decide we need that complexity in the future.
Is this feature fully tested by web-platform-tests?
There is currently only one simple WPT at the moment. Chrome's implementation is fully covered by browsertests. We intend to convert those to upstreamed layout tests before shipping.
OWP launch tracking bug
Entry on the feature dashboard
https://www.chromestatus.com/feature/4713262029471744
Rick Byers
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CABB%3D4ScQKSzEUq1RwE1-g-KY5_P3%2BCYA9nwYo6FgseKaBNcBcQ%40mail.gmail.com.
Chris Harrelson
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFUtAY850L1jF84NSrF8qLY_yTKceZmUNZ8xJHExamgfpup4fA%40mail.gmail.com.
Jochen Eisinger
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFUtAY850L1jF84NSrF8qLY_yTKceZmUNZ8xJHExamgfpup4fA%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw-SSvBhS0fHEkGX9pGwtuj82TH504LByzqsxrXYnDZuXQ%40mail.gmail.com.