Intent to Prototype and Ship: Cookie Store API `maxAge`
Anusha Muley
Contact emails
Explainer
No information provided
Specification
https://github.com/whatwg/cookiestore/pull/292
Summary
Allows callers to specify a `maxAge` when setting a cookie with the Cookie Store API. Cookie expiry time is already configurable using the `expires` attribute, but `maxAge` provides a more idiomatic option and aligns the Cookie Store API with the options provided by `document.cookie` and the `Set-Cookie` HTTP Header.
Blink component
Web Feature ID
Motivation
Currently, developers can use the `expires` attribute when setting a cookie with the Cookie Store API to set an absolute timestamp for expiry. This can be unintuitive and is impacted by client-side clock skew. RFC6265bis and the document.cookie API provide a `Max-Age` attribute, which allows for relative cookie lifetimes and ergonomic deletion. We should provide a `maxAge` option in the Cookie Store API to support relative expiry and align with these APIs.
Initial public proposal
https://github.com/whatwg/cookiestore/issues/57
TAG review
Not requested, this is a relatively small feature that has no impact on behavior or new information exposed through the API.
TAG review status
Not applicable
Risks
Interoperability and Compatibility
Additive feature with no impact to existing cookies/behavior. Does not expose additional information or functionality-- setting a cookie's absolute expiry with the `expires` value is already supported in the API.
Gecko: Positive (https://github.com/mozilla/standards-positions/issues/1334)
WebKit: No Signal (https://github.com/WebKit/standards-positions/issues/597)
We are actively developing this feature in collaboration with WebKit https://github.com/whatwg/cookiestore/pull/292#pullrequestreview-3538599229
Web developers: Positive (https://github.com/whatwg/cookiestore/issues/57) Could be easier for developers to work with now-relative values, aligns the Cookie Store API with the features provided by document.cookie and RFC6265bis
Other signals:
WebView application risks
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
No
Debuggability
Cookies (and their properties such as expiry time) are debuggable through the Application > Cookies tab on DevTools
Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?
Yes
Is this feature fully tested by web-platform-tests?
Yes
Flag name on about://flags
No information provided
Finch feature name
CookieStoreAPIMaxAge
Rollout plan
Will ship enabled for all users
Requires code in //chrome?
False
Tracking bug
https://issues.chromium.org/430926231
Estimated milestones
Anticipated spec changes
Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way).
None
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5190778418757632
This intent message was generated by Chrome Platform Status.
Yoav Weiss (@Shopify)
This seems like a useful addition. Thanks for collaborating on it with other vendors.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/68847eee-f32e-4ef8-85f1-1413a18a2bcen%40chromium.org.
Rick Byers
Mike Taylor
A few questions around interop between 6265bis cookies and CookieStore cookies (I'm much less familiar with CookieStore):
I don't see any mention of the concept of "cookie-age-limit" (400 days) that 6265bis defines - how does that work for CookieStore? https://www.ietf.org/archive/id/draft-ietf-httpbis-rfc6265bis-22.html#section-5.5
Step 13.1 of https://cookiestore.spec.whatwg.org/#set-cookie-algorithm returns failure when a cookie has both expires and max-age, but https://www.ietf.org/archive/id/draft-ietf-httpbis-rfc6265bis-22.html#section-5.7 requires that max-age wins. Is there any reason for the difference for Cookie Store?
Gecko: Positive (https://github.com/mozilla/standards-positions/issues/1334)
WebKit: No Signal (https://github.com/WebKit/standards-positions/issues/597)
We are actively developing this feature in collaboration with WebKit https://github.com/whatwg/cookiestore/pull/292#pullrequestreview-3538599229
Web developers: Positive (https://github.com/whatwg/cookiestore/issues/57) Could be easier for developers to work with now-relative values, aligns the Cookie Store API with the features provided by document.cookie and RFC6265bis
Other signals:
WebView application risks
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
No
Debuggability
Cookies (and their properties such as expiry time) are debuggable through the Application > Cookies tab on DevTools
Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?
Yes
Is this feature fully tested by web-platform-tests?
Yes
Can we add a test for max-age=0 value? This has been recently allowed explicitly in the grammar defined in 6265bis (and is supported by all browsers):
Jeffrey Yasskin
--