Intent to Ship: Cookie Store API

950 views
Skip to first unread message

ay...@chromium.org

unread,
Sep 17, 2020, 5:06:57 PM9/17/20
to blink-dev

Contact emails

ay...@chromium.org, pwn...@chromium.org, jsb...@chromium.org


Explainer

https://github.com/WICG/cookie-store/blob/main/explainer.md


Specification

https://wicg.github.io/cookie-store/


Design docs

https://docs.google.com/document/d/1ak6JzOMMO5q3dXvu4mHFWR-LLvaDc09XDvdeJZLtZd4/edit?usp=sharing


TAG review

https://github.com/w3ctag/design-reviews/issues/469


Summary

The Cookie Store API exposes HTTP cookies to service workers and offers an asynchronous alternative to document.cookie.


Link to “Intent to Prototype” blink-dev discussion

https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/gU-tSdjR4rA/discussion


Link to Origin Trial Feedback Summary

https://docs.google.com/document/d/1-bFqtgxquTNoNBK-51MvhrsoRSIqZ63MBoiVLkCrP10/edit?usp=sharing 


Risks


Interoperability and Compatibility

Websites will still be able to use existing document.cookie for other browsers if they do not end up implementing this API. 


Gecko: Defer (https://mozilla.github.io/standards-positions/#cookie-store)


WebKit: No signal (https://lists.webkit.org/pipermail/webkit-dev/2020-August/031364.html)


Web developers: Positive (https://github.com/WICG/cookie-store/issues/31#issuecomment-239707182, https://discourse.wicg.io/t/rfc-proposal-for-an-asynchronous-cookies-api/1652/2)


Working with Internal Google partners.

One of the major use cases for this feature requested by web developers is for session cookies. Cookie Store API will allow Service Workers to react to session state changes and cleanup private cached data.


Security

None, this does not change the security properties of cookies on the Web Platform. Cookie Store API’s design also nudges developers toward better defaults with default path, and encourages security by restricting API usage to secure contexts only. (https://wicg.github.io/cookie-store/#restrict



Debuggability

DevTools already has great support for cookies.


Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?

Yes


Is this feature fully tested by web-platform-tests?

Yes https://wpt.fyi/results/cookie-store?label=experimental&label=master&aligned


Tracking bug

https://crbug.com/729800


Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5658847691669504


Domenic Denicola

unread,
Sep 17, 2020, 5:17:40 PM9/17/20
to ay...@chromium.org, blink-dev

As spec mentor for this API, I want to chime and say that the feature and its specification look great. Over the last couple of weeks ayui@ has worked to close out remaining specification and explainer issues and get things into ship-shape. Notable examples:

 

At this point I’m very happy with the specification; it’s a model of clarity and precision, and should be interoperably implementable. (It’ll also be really nice for web developers!)

Manuel Rego Casasnovas

unread,
Sep 21, 2020, 8:01:27 AM9/21/20
to ay...@chromium.org, blink-dev
Hi,

On 17/09/2020 19:49, ay...@chromium.org wrote:
> Specification
>
> https://wicg.github.io/cookie-store/

Are you planning to move the spec out of incubation into any standards
group?

> TAG review
>
> https://github.com/w3ctag/design-reviews/issues/469

Nice to see that you incorporated the TAG review feedback into the final
proposal.

> Gecko: Defer (https://mozilla.github.io/standards-positions/#cookie-store)

It looks like the position has been re-opened and Mozilla's opinion
could change (or not):
https://github.com/mozilla/standards-positions/issues/94#issuecomment-682450403
It seems they like the idea but haven't evaluated some implications yet.
Do we have any more information about those potential concerns from Apple?

Thanks,
Rego

Ayu Ishii

unread,
Sep 21, 2020, 5:46:14 PM9/21/20
to Manuel Rego Casasnovas, blink-dev
Thanks for the questions!
 
>         Specification
>
> https://wicg.github.io/cookie-store/
Are you planning to move the spec out of incubation into any standards
group?

Currently no plans to move it out of incubation.

 
> WebKit: No signal
> (https://lists.webkit.org/pipermail/webkit-dev/2020-August/031364.html)
It seems they like the idea but haven't evaluated some implications yet.
Do we have any more information about those potential concerns from Apple?

We haven't received any feedback outside of what has been posted in public channels. 

Best,
Ayu

Ayu Ishii

unread,
Sep 21, 2020, 6:18:37 PM9/21/20
to blink-dev, Ayu Ishii, blink-dev
We are additionally asking permission to extend the Origin Trial for a "gapless" OT. We have an internal partner who built a feature on top of the Cookie Store API and would like to roll out. The partner has not requested any API changes, and was not impacted by the minor changes made during OT. I've updated the OT Summary document with this partner use case. 

Thanks,
Ayu

Yoav Weiss

unread,
Sep 24, 2020, 6:17:43 AM9/24/20
to ay...@chromium.org, David Benjamin, blink-dev
LGTM1

Thanks for working on this! I believe this has been in the works for many years, so great to see you taking it over the finish line :)

While reviewing this (and because I've been thinking about this problem in other contexts, thanks to +David Benjamin), I realized that SWs that are using Cache.match() won't take these cookies into account.
That's already true for cookies today, and also true for other headers added below the SW (e.g. `User-Agent`).
As such, it doesn't seem like a blocker, but does seem like something we may want to eventually address (e.g. maybe by feeding information about cookies, UA string, etc to the `match()` method as part of `options`).
I filed a SW issue to discuss that.


Security

None, this does not change the security properties of cookies on the Web Platform. Cookie Store API’s design also nudges developers toward better defaults with default path, and encourages security by restricting API usage to secure contexts only. (https://wicg.github.io/cookie-store/#restrict



Debuggability

DevTools already has great support for cookies.


Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?

Yes


Is this feature fully tested by web-platform-tests?

Yes https://wpt.fyi/results/cookie-store?label=experimental&label=master&aligned


Tracking bug

https://crbug.com/729800


Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5658847691669504


--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/e8f2acdb-ca4a-41e3-b183-f2a86d0def53o%40chromium.org.

Chris Harrelson

unread,
Sep 24, 2020, 11:54:21 AM9/24/20
to Yoav Weiss, ay...@chromium.org, David Benjamin, blink-dev
LGTM2 to ship and LGTM for a gapless OT, given evidence of partner engagement.

Mike West

unread,
Sep 24, 2020, 3:15:10 PM9/24/20
to blink-dev, Chris Harrelson, Ayu Ishii, David Benjamin, blink-dev, yo...@yoav.ws
LGTM3. I'm happy with the way this API has developed over time, and it seems like a distinct improvement over `document.cookie` with a better set of defaults and restrictions.

Ayu Ishii

unread,
Dec 9, 2020, 1:19:20 PM12/9/20
to blink-dev, Mike West, Chris Harrelson, Ayu Ishii, David Benjamin, blink-dev, yo...@yoav.ws
Thank you for all the approvals!

Just updating this thread to inform that the Trial end date has been extend to Jan 31, 2021 (M86) for the gapless OT.
This is an additional update from the Dec 15, 2021 (M86) date to make sure users have enough time to transition to the shipped version. 

Thanks,
Ayu
Reply all
Reply to author
Forward
0 new messages