Intent to Ship: Cookie Store API

[ay...@chromium.org]

Contact emails

ay...@chromium.org, pwn...@chromium.org, jsb...@chromium.org

Explainer

https://github.com/WICG/cookie-store/blob/main/explainer.md

Specification

https://wicg.github.io/cookie-store/

Design docs

https://docs.google.com/document/d/1ak6JzOMMO5q3dXvu4mHFWR-LLvaDc09XDvdeJZLtZd4/edit?usp=sharing

TAG review

https://github.com/w3ctag/design-reviews/issues/469

Summary

The Cookie Store API exposes HTTP cookies to service workers and offers an asynchronous alternative to document.cookie.

Link to “Intent to Prototype” blink-dev discussion

https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/gU-tSdjR4rA/discussion

Link to Origin Trial Feedback Summary

https://docs.google.com/document/d/1-bFqtgxquTNoNBK-51MvhrsoRSIqZ63MBoiVLkCrP10/edit?usp=sharing 

Risks

Interoperability and Compatibility

Websites will still be able to use existing document.cookie for other browsers if they do not end up implementing this API. 

Gecko: Defer (https://mozilla.github.io/standards-positions/#cookie-store)

WebKit: No signal (https://lists.webkit.org/pipermail/webkit-dev/2020-August/031364.html)

Web developers: Positive (https://github.com/WICG/cookie-store/issues/31#issuecomment-239707182, https://discourse.wicg.io/t/rfc-proposal-for-an-asynchronous-cookies-api/1652/2)

Working with Internal Google partners.

One of the major use cases for this feature requested by web developers is for session cookies. Cookie Store API will allow Service Workers to react to session state changes and cleanup private cached data.

Security

None, this does not change the security properties of cookies on the Web Platform. Cookie Store API’s design also nudges developers toward better defaults with default path, and encourages security by restricting API usage to secure contexts only. (https://wicg.github.io/cookie-store/#restrict) 

Debuggability

DevTools already has great support for cookies.

Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?

Yes

Is this feature fully tested by web-platform-tests?

Yes https://wpt.fyi/results/cookie-store?label=experimental&label=master&aligned

Tracking bug

https://crbug.com/729800

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5658847691669504

[Domenic Denicola]

As spec mentor for this API, I want to chime and say that the feature and its specification look great. Over the last couple of weeks ayui@ has worked to close out remaining specification and explainer issues and get things into ship-shape. Notable examples:

• Removing a feature that the origin trial revealed as unnecessary
• Fixing a strange edge-case behavior
• Fixing up minor spec hygiene issues that could potentially cause interop hazards (1, 2, 3) or confusion
• Reevaluating some open points of feedback and deciding the current spec was good as-is, but documenting the rationale more clearly (1, 2)

 

At this point I’m very happy with the specification; it’s a model of clarity and precision, and should be interoperably implementable. (It’ll also be really nice for web developers!)

[Manuel Rego Casasnovas]

Hi,

On 17/09/2020 19:49, ay...@chromium.org wrote:
> Specification
>
> https://wicg.github.io/cookie-store/

Are you planning to move the spec out of incubation into any standards
group?

> TAG review
>
> https://github.com/w3ctag/design-reviews/issues/469

Nice to see that you incorporated the TAG review feedback into the final
proposal.

> Gecko: Defer (https://mozilla.github.io/standards-positions/#cookie-store)

It looks like the position has been re-opened and Mozilla's opinion
could change (or not):
https://github.com/mozilla/standards-positions/issues/94#issuecomment-682450403

> WebKit: No signal
> (https://lists.webkit.org/pipermail/webkit-dev/2020-August/031364.html)

It seems they like the idea but haven't evaluated some implications yet.
Do we have any more information about those potential concerns from Apple?

Thanks,
Rego

[Ayu Ishii]

Thanks for the questions!

 

>         Specification
>
> https://wicg.github.io/cookie-store/
Are you planning to move the spec out of incubation into any standards
group?

Currently no plans to move it out of incubation.

 

> WebKit: No signal
> (https://lists.webkit.org/pipermail/webkit-dev/2020-August/031364.html)
It seems they like the idea but haven't evaluated some implications yet.
Do we have any more information about those potential concerns from Apple?

We haven't received any feedback outside of what has been posted in public channels. 

Best,
Ayu

[Ayu Ishii]

We are additionally asking permission to extend the Origin Trial for a "gapless" OT. We have an internal partner who built a feature on top of the Cookie Store API and would like to roll out. The partner has not requested any API changes, and was not impacted by the minor changes made during OT. I've updated the OT Summary document with this partner use case. 

Thanks,
Ayu

[Yoav Weiss]

LGTM1

Thanks for working on this! I believe this has been in the works for many years, so great to see you taking it over the finish line :)

While reviewing this (and because I've been thinking about this problem in other contexts, thanks to +David Benjamin), I realized that SWs that are using Cache.match() won't take these cookies into account.

That's already true for cookies today, and also true for other headers added below the SW (e.g. `User-Agent`).

As such, it doesn't seem like a blocker, but does seem like something we may want to eventually address (e.g. maybe by feeding information about cookies, UA string, etc to the `match()` method as part of `options`).

I filed a SW issue to discuss that.

Security

None, this does not change the security properties of cookies on the Web Platform. Cookie Store API’s design also nudges developers toward better defaults with default path, and encourages security by restricting API usage to secure contexts only. (https://wicg.github.io/cookie-store/#restrict) 

Debuggability

DevTools already has great support for cookies.

Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?

Yes

Is this feature fully tested by web-platform-tests?

Yes https://wpt.fyi/results/cookie-store?label=experimental&label=master&aligned

Tracking bug

https://crbug.com/729800

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5658847691669504

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/e8f2acdb-ca4a-41e3-b183-f2a86d0def53o%40chromium.org.

[Chris Harrelson]

LGTM2 to ship and LGTM for a gapless OT, given evidence of partner engagement.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACj%3DBEgOXNY02HYhvv2EFTW4D1ky%2B5hTuqd9%3D-yzMeOXd5y1tA%40mail.gmail.com.

[Mike West]

LGTM3. I'm happy with the way this API has developed over time, and it seems like a distinct improvement over `document.cookie` with a better set of defaults and restrictions.

[Ayu Ishii]

Thank you for all the approvals!

Just updating this thread to inform that the Trial end date has been extend to Jan 31, 2021 (M86) for the gapless OT.
This is an additional update from the Dec 15, 2021 (M86) date to make sure users have enough time to transition to the shipped version. 

Thanks,
Ayu