Intent to Prototype: Allow cookie domain attributes to be the empty string
Kyra Seevers
Contact emails
kyras...@chromium.org, mike...@chromium.org, jadek...@chromium.orgExplainer
https://github.com/httpwg/http-extensions/issues/1332https://github.com/httpwg/http-extensions/pull/1709
Specification
https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-5.4.3Design docs
https://docs.google.com/document/d/1oyG_OF9YrMR1icbvh9rAT6dFcb7qiKOf2wCngKIWNto/edit?usp=sharingSummary
Updates the parsing of cookie strings to allow a cookie's domain attribute to be set to the empty string. This change will also correct the failing web-platform tests related to an empty string domain. Additionally, it brings Chrome in alignment with the draft RFC6265bis specification, and will improve interoperability with Safari and Firefox by matching their treatment of an empty cookie domain attribute.
Blink component
Internals>Network>CookiesMotivation
Currently, Chrome exhibits confusing and non-standard behavior when a cookie is set with an empty string in the domain attribute. In Chrome's ParsedCookie class and related unit and web-platform tests, a cookie string with an empty string domain does not set the domain attribute. Functionally, this causes a cookie’s domain value to equal the previously specified domain for this cookie if present. However, this behavior conflicts with the RFC6265bis, as the resulting cookie in this situation should simply be bound to its request url’s host, termed a “host cookie.” The goal of this design is to align Chrome’s behavior with the domain attribute handling described in the draft RFC6265bis, and by extension, correct errors in cookie tests resulting from this behavior change.
Initial public proposal
NoneTAG review
Not applicableTAG review status
Not applicableRisks
Interoperability and Compatibility
This feature is relatively small so we do not expect many risks. To verify this, we landed a UMA metric to measure when a ParsedCookie is set up with more than one domain attribute and one of those domain values is the empty string. Initial results suggest that 0.0001% of cookies currently exhibit this behavior. Additionally, when considering only cookies from unique hosts, the results suggest only 0.00001% of cookies have a unique host requesting this behavior.
Gecko: Shipped/Shipping
WebKit: Shipped/Shipping
Web developers: Positive (https://github.com/httpwg/http-extensions/issues/1332#issuecomment-939039730)
Other signals:
Debuggability
This change will not require debugging support outside of the existing DevTools support for cookies.
Is this feature fully tested by web-platform-tests?
YesFlag name
CookieDomainEmptyStringRequires code in //chrome?
FalseTracking bug
https://bugs.chromium.org/p/chromium/issues/detail?id=1258025Estimated milestones
No milestones specified