Contact emails
ari...@chromium.org, mike...@chromium.org, bin...@chromium.org
Specification
https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-expires-attribute
Summary
Since M104 cookies newly created or updated with an expiration date would have that date capped at no more than 400 days in the future. This same limit will now be retroactively applied to cookies already in storage to cap their expiration dates to no more than 400 days after the first time Chrome M118+ starts up and does a one time database migration. The impact of this change will not be felt by users until at least 400 days after M118 is released, and then only for existing cookies that have not been updated in that period.
Blink component
Motivation
The draft of rfc6265bis now contains an upper limit for Cookie Expires/Max-Age attributes. As written:
`The user agent MUST limit the maximum value of the [Max-Age/Expiration] attribute. The limit MUST NOT be greater than 400 days (34560000 seconds) in duration. The RECOMMENDED limit is 400 days in duration, but the user agent MAY adjust the limit to be less. [Max-Age/Expiration] attributes that are greater than the limit MUST be reduced to the limit.`
This limit should be enforced retroactively to comply with the specification and clear old cookies with high expiration dates out on a reasonable timetable.
TAG review
Supportive of original change
Compatibility
In general, websites should never depend on cookies existing for some predictable length of time. The browser can and will evict for any number of reasons.
Safari is already partially compliant (with an upper age limit of 7 days when cookies are set client side but no limit when set by the server), while Firefox supports cookies with expiration dates millennia in the future.
Gecko: Positive
WebKit: Positive
Web developers: Mostly negative or neutral on expires limits in general
Existing DevTools affordances for debugging cookie attributes will work as expected here
Is this feature fully tested by web-platform-tests?
Tracking bug
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5086241845936128
I like the idea of automatically clearing out unused cookies, but I am unclear if that is what happens here.
In an hypothetical scenario, a user of website awesomeapp.tv will make some customization the first time they are there, and the site will store that customization in a cookie with an expire date far, far into the future. If this hypothetical user keeps using awesomeapp.tv without changing any settings, and with no cookie updates, will they still lose their customization after 400 days?
If the hypothetical scenario could play out, do we have any idea how common it would be?
To create some context, we have an informal "this breakage is acceptable if needed to move the web forward of" limit of 0.003% of page loads. The numbers you list set an upper limit on the amount of problems and the real number of possibly problematic page loads or affected sites will be much lower, but how low?
/Daniel
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGpy5D%2B_u5LB6wF%3DT9fu%2B2Svciv%2BWVu-oOVN1CWCvVAeHfVvAA%40mail.gmail.com.
So my assumption is the pessimistic one that most sites won't notice this policy change even if we publish posts about it. And even if users and sites can survive lost cookies, it might still be a disruption that was unexpected and unwanted. But I don't have any good idea of how disruptive and how common it will be. It might not be a real problem at all, but I am missing the knowledge and data to understand what the size of the risk is.
My hope was that you would have some information or data that
would show to me that there is nothing to be concerned about. I
don't think I'm there yet, but if cookies are already limited to
400 days, that is a good indication it can't be too much of a
problem.
/Daniel
Perhaps we could delay this change until M119 as I understand that the first cookies that were set more than 400 days ago are due to expire in the M118 window. That should give us some time to understand the impact in more concrete terms and mitigate some of the impact, were it to turn out to that 400 days is not the right balance between utility and protecting users.
(I should note that I'm supportive of this change as proposed as a net positive for security, but am recused from voting on it.)
LGTM1
There will be some day late in 2024, early in 2025 that will be the death of many cookies. I now believe the risk of that being a problem is low enough.
/Daniel
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/2ad99d54-4409-279e-2818-582158c06000%40gmail.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfXp6W%3DzCAt2Fb-EbA2RBq7cQ%3DhrPpKWH1XU3QUSBQGhow%40mail.gmail.com.