Intent to Experiment: Cookie Store API

152 views
Skip to first unread message

ay...@chromium.org

unread,
May 8, 2020, 12:15:10 PM5/8/20
to blink-dev

Contact emails

ay...@chromium.org, pwn...@chromium.org, jsb...@chromium.org


Spec

Explainer: https://github.com/WICG/cookie-store/blob/master/explainer.md

Spec: https://wicg.github.io/cookie-store/


Summary

The Cookie Store API exposes HTTP cookies to service workers and offers a needed asynchronous alternative to document.cookie.


Conceptually, the API consists of three components:

  • Query API: asynchronous replacement for the document.cookie getter

  • Modification API: asynchronous replacement for the document.cookie setter

  • Change Events API: battery-friendly replacement for polling the document.cookie getter


The Change Events API has different shapes in documents and service workers. Documents can register an event listener that receives change events for all cookies visible to the document. Service Workers create more fine-grained subscriptions that filter which cookie changes dispatch change events. The main Service Worker use case we are aware of is removing private data from browser storage when the authentication state changes (Clear-Site-Data is not sufficient for sites that support multiple signed-on users).


Although there are long term plans to deprecate cookies, we recognize that with the existing heavy usage of cookies, it will take a long time for this to happen. We think that by introducing this API now, it will help the current state of cookies by allowing developers to use them more judiciously and make better decisions about security while also improving performance. 


Link to “Intent to Prototype” blink-dev discussion
Intent to Implement: https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/gU-tSdjR4rA/discussion


Goals for experimentation

We want developer feedback around the API’s performance and applicability.


  • Are the query and modification APIs sufficient for replacing document.cookie?

  • Is it acceptable to dispatch all cookie change events to documents?

  • Are the subscriptions in the service worker change events API flexible enough?


At least one major customer inside Google wants to use this API to remove private data from browser storage when authentication data (stored in cookies) changes. At least one major customer outside Google is interested in using this API to replace document.cookie polling. We want to learn from their deployment experiences.


Experimental timeline

M84-86


Any risks when the experiment finishes?

This API addresses cookies, which are currently accessible via document.cookie and HTTP headers.


Reason this experiment is being extended

This is the 2nd experiment for CookieStore API. We did not receive enough feedback on the first Origin Trial to move forward with the API at the time. We now have dedicated partners interested in trying the API in production who will provide the feedback we need.
Previous I2E: https://groups.google.com/a/chromium.org/forum/#!searchin/blink-dev/Async$20Cookies%7Csort:date/blink-dev/pdxkBoURmaA/XOPF1kRsBAAJ


Ongoing technical constraints

None


Debuggability

DevTools already has great support for cookies.


Will this feature be supported on all five Blink platforms supported by Origin Trials (Windows, Mac, Linux, Chrome OS, and Android)?

Yes


Link to entry on the feature dashboard

https://www.chromestatus.com/feature/5658847691669504


ay...@chromium.org

unread,
May 8, 2020, 12:15:16 PM5/8/20
to blink-dev

Yoav Weiss

unread,
May 14, 2020, 2:14:14 PM5/14/20
to ay...@chromium.org, blink-dev
LGTM to experiment.
While cookies are not great, they're still a thing, and having an async way to access them sounds like progress.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/1191092f-037c-4d93-8635-fe589328773c%40chromium.org.
Reply all
Reply to author
Forward
0 new messages