Intent to Prototype & Ship: Clear-Site-Data header wildcard syntax

84 views
Skip to first unread message

Ari Chivukula

unread,
Jul 17, 2023, 7:34:51 AM7/17/23
to blink-dev

Contact emails

ari...@chromium.org, mike...@chromium.org, yoav...@chromium.org


Specification

https://w3c.github.io/webappsec-clear-site-data/


Summary

Websites will now be able to clear all storage targets (“cookies”, “cache”, and “storage”) by sending `Clear-Site-Data: “*”`. Note that Chrome does not support clearing “executionContexts” at the moment, but if we added it in the future any header targeting “*” would then clear them too.


Note: This was proposed in 2017, but never launched in Chrome.


Blink component

Blink>Storage


Motivation

If a website really wanted to clear all data they would have to list all possible targets in the header and be sure to check if any were added in the future. By using “*” as the target, a website can be sure all data the browser supports to clear via the header will be cleared.


TAG review

https://github.com/w3ctag/design-reviews/issues/62


Compatibility & Interoperability

We would be the first to implement if approved.


Gecko: Positive


WebKit: No current support


Web Developers: None so far


Is this feature fully tested by web-platform-tests?

https://wpt.fyi/results/client-hints/clear-site-data?label=experimental&label=master&aligned

https://wpt.fyi/results/clear-site-data?label=experimental&label=master&aligned


Tracking bug

https://crbug.com/1464260


Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5074132743487488


Rick Byers

unread,
Jul 18, 2023, 1:59:09 PM7/18/23
to Ari Chivukula, blink-dev
Seems like a pretty tiny addition to an already shipped feature. Just one question on future compat:

On Mon, Jul 17, 2023 at 7:34 AM Ari Chivukula <ari...@chromium.org> wrote:

Contact emails

ari...@chromium.org, mike...@chromium.org, yoav...@chromium.org


Specification

https://w3c.github.io/webappsec-clear-site-data/


Summary

Websites will now be able to clear all storage targets (“cookies”, “cache”, and “storage”) by sending `Clear-Site-Data: “*”`. Note that Chrome does not support clearing “executionContexts” at the moment, but if we added it in the future any header targeting “*” would then clear them too.


What's the risk we'll find we can't actually do that for web compat reasons? Eg. sites deploying "*" today without appreciating the implications of asking for pages to be reloaded, then when we add "executionContexts" support in the future the user experience degrades enough that we can't actually ship it as part of the "*" set? Do we have guidance for developers on when to use "*" vs. a specific list?

Note: This was proposed in 2017, but never launched in Chrome.


Blink component

Blink>Storage


Motivation

If a website really wanted to clear all data they would have to list all possible targets in the header and be sure to check if any were added in the future. By using “*” as the target, a website can be sure all data the browser supports to clear via the header will be cleared.


TAG review

https://github.com/w3ctag/design-reviews/issues/62


Compatibility & Interoperability

We would be the first to implement if approved.


Does Firefox (and older Chrome) just ignore the "*" token today? I.e. can developers list a set of tokens along with "*" in order to use this compatibly on both Chrome and Firefox?

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGpy5DLiBdF2iFZxhr7Uu0HEm6NtickKF2T_D1nvymYCCuV%3DHQ%40mail.gmail.com.

Ari Chivukula

unread,
Jul 18, 2023, 2:28:55 PM7/18/23
to Rick Byers, blink-dev
Replies inline.
~ Ari Chivukula (Their/There/They're)


On Tue, Jul 18, 2023 at 1:59 PM Rick Byers <rby...@google.com> wrote:
Seems like a pretty tiny addition to an already shipped feature. Just one question on future compat:

On Mon, Jul 17, 2023 at 7:34 AM Ari Chivukula <ari...@chromium.org> wrote:

Contact emails

ari...@chromium.org, mike...@chromium.org, yoav...@chromium.org


Specification

https://w3c.github.io/webappsec-clear-site-data/


Summary

Websites will now be able to clear all storage targets (“cookies”, “cache”, and “storage”) by sending `Clear-Site-Data: “*”`. Note that Chrome does not support clearing “executionContexts” at the moment, but if we added it in the future any header targeting “*” would then clear them too.


What's the risk we'll find we can't actually do that for web compat reasons? Eg. sites deploying "*" today without appreciating the implications of asking for pages to be reloaded, then when we add "executionContexts" support in the future the user experience degrades enough that we can't actually ship it as part of the "*" set? Do we have guidance for developers on when to use "*" vs. a specific list?

That's a reasonable question, so I could see adding a note in the spec so developers are forewarned. The danger seems less compatibility and more performance (if new methods take significant time) as anyone sending "*" should assume no prior state for that page is retained.
 

Note: This was proposed in 2017, but never launched in Chrome.


Blink component

Blink>Storage


Motivation

If a website really wanted to clear all data they would have to list all possible targets in the header and be sure to check if any were added in the future. By using “*” as the target, a website can be sure all data the browser supports to clear via the header will be cleared.


TAG review

https://github.com/w3ctag/design-reviews/issues/62


Compatibility & Interoperability

We would be the first to implement if approved.


Does Firefox (and older Chrome) just ignore the "*" token today? I.e. can developers list a set of tokens along with "*" in order to use this compatibly on both Chrome and Firefox?

Rick Byers

unread,
Jul 18, 2023, 4:06:35 PM7/18/23
to Ari Chivukula, blink-dev
Sounds good, thanks! I defer to your judgement on the future compat risk. Worst case "*" has to be redefined not to include "executionContexts", but that wouldn't be the ugliest wart in the web :-)

 LGTM1

Daniel Bratell

unread,
Jul 19, 2023, 11:55:02 AM7/19/23
to Rick Byers, Ari Chivukula, blink-dev

Chris Harrelson

unread,
Jul 19, 2023, 12:03:09 PM7/19/23
to Daniel Bratell, Rick Byers, Ari Chivukula, blink-dev
Reply all
Reply to author
Forward
0 new messages