Intent to Experiment: Cookie Store API
ay...@chromium.org
Contact emails
ay...@chromium.org, pwn...@chromium.org, jsb...@chromium.org
Spec
Explainer: https://github.com/WICG/cookie-store/blob/master/explainer.md
Spec: https://wicg.github.io/cookie-store/
Summary
The Cookie Store API exposes HTTP cookies to service workers and offers a needed asynchronous alternative to document.cookie.
Conceptually, the API consists of three components:
Query API: asynchronous replacement for the document.cookie getter
Modification API: asynchronous replacement for the document.cookie setter
Change Events API: battery-friendly replacement for polling the document.cookie getter
The Change Events API has different shapes in documents and service workers. Documents can register an event listener that receives change events for all cookies visible to the document. Service Workers create more fine-grained subscriptions that filter which cookie changes dispatch change events. The main Service Worker use case we are aware of is removing private data from browser storage when the authentication state changes (Clear-Site-Data is not sufficient for sites that support multiple signed-on users).
Although there are long term plans to deprecate cookies, we recognize that with the existing heavy usage of cookies, it will take a long time for this to happen. We think that by introducing this API now, it will help the current state of cookies by allowing developers to use them more judiciously and make better decisions about security while also improving performance.
Link to “Intent to Prototype” blink-dev discussion
Intent to Implement: https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/gU-tSdjR4rA/discussion
Goals for experimentation
We want developer feedback around the API’s performance and applicability.
Are the query and modification APIs sufficient for replacing document.cookie?
Is it acceptable to dispatch all cookie change events to documents?
Are the subscriptions in the service worker change events API flexible enough?
At least one major customer inside Google wants to use this API to remove private data from browser storage when authentication data (stored in cookies) changes. At least one major customer outside Google is interested in using this API to replace document.cookie polling. We want to learn from their deployment experiences.
Experimental timeline
M84-86
Any risks when the experiment finishes?
This API addresses cookies, which are currently accessible via document.cookie and HTTP headers.
Reason this experiment is being extended
This is the 2nd experiment for CookieStore API. We did not receive enough feedback on the first Origin Trial to move forward with the API at the time. We now have dedicated partners interested in trying the API in production who will provide the feedback we need.
Previous I2E: https://groups.google.com/a/chromium.org/forum/#!searchin/blink-dev/Async$20Cookies%7Csort:date/blink-dev/pdxkBoURmaA/XOPF1kRsBAAJ
Ongoing technical constraints
None
Debuggability
DevTools already has great support for cookies.
Will this feature be supported on all five Blink platforms supported by Origin Trials (Windows, Mac, Linux, Chrome OS, and Android)?
Yes
Link to entry on the feature dashboard
https://www.chromestatus.com/feature/5658847691669504
ay...@chromium.org
Yoav Weiss
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/1191092f-037c-4d93-8635-fe589328773c%40chromium.org.