I think that this is a very useful API would like to see it! My one
concern is that the CookieStore information is a bit vague, and I'm
not sure how it's directly applicable as it stands.
== Permissions ==
How does this API interact with permissions in the manifest? Clearly,
an extension would need to request access to the cookie API. It would
be nice if we restricted access to only those cookies for the origins
in the extension's permission.
== Cookie Names ==
You seem to be assuming that a cookie is uniquely determined the the
pair (url, name). This is in fact not the case. There can be
multiple cookies with the same name for a given URL. Can't we just
return an array of cookie objects?
== getAll ==
Do we really want to give all the cookies in the entire cookie store
to the script at once? That seems like a lot. Maybe we should use
some kind of iterator pattern.
== set ==
We'll probably want to include a URL in the set method to mirror the
URL in the get method. We might be able to get away without this for
now, but we might really want this in the future given that the other
ways of setting cookies (e.g., the via HTTP headers and
document.cookie) provide this URL as context.
== Secure cookies ==
In the Cookie data structure, it seems like we'd want a boolean for
the Secure attribute. You might looks at
<https://developer.mozilla.org/en/nsICookieManager2> as an interesting
point of comparison to see if you missed anything else.
== Cookie paths ==
Why does the path attribute default to "/" ? On the wire, the path
defaults to the default-path value specified in
<http://tools.ietf.org/html/draft-ietf-httpstate-cookie>.
== Cookie domain ==
How do you intend to distinguish between host-only cookies and domain
cookies? One approach is to use a leading "." in the domain field of
the cookie data structure. Another approach is to use a separate
boolean flag. Either is probably fine, but your spec should be clear
about which you're using. To align with the Firefox API
<https://developer.mozilla.org/en/nsICookie>, we'd use a separate
boolean (which is probably best).
== Style issues ==
I'd call "expirationDate" either "expires" (to match the on-the-wire
syntax) or "expiry" (to match what this is called in the spec). Note
that Firefox uses both names for slight variations on this value (see
<https://developer.mozilla.org/en/nsICookie> and
<https://developer.mozilla.org/en/nsICookie2>).
== Deleting cookies ==
Is there an easy way to delete cookies with this API? That will
probably be a common use case, e.g., for cookie managers. It might be
a good idea to provide a specific delete method.
== Blocking cookies ==
Currently, there's no way to build a race-free cookie blocker with
this API. That might just be a limitation of the architecture,
however, because a race-free cookie blocker would need to get result
synchronously.
== Final thoughts ==
If you haven't already, I'd encourage you to read
<http://tools.ietf.org/html/draft-ietf-httpstate-cookie>. That will
give you a sense for some of the edge cases here. If you have
questions, I'm happy to answer them. If you have feedback on the spec
itself, you can either send them to me directly or to
http-...@ietf.org
Adam
> --
> Chromium Developers mailing list: chromi...@chromium.org
> View archives, change email options, or unsubscribe:
> http://groups.google.com/a/chromium.org/group/chromium-dev
>
http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2010-February/025300.html
It might be a good idea to coordinate with that group on the Cookie
data structure if the whatwg is interested in speccing a replacement
for the document.cookie API.
Adam
On Mon, Feb 22, 2010 at 10:01 PM, Adam Barth <aba...@chromium.org> wrote:
At a high level, this looks good. Detailed comments below.
== Permissions ==
How does this API interact with permissions in the manifest? Clearly,
an extension would need to request access to the cookie API. It would
be nice if we restricted access to only those cookies for the origins
in the extension's permission.
== Cookie Names ==
You seem to be assuming that a cookie is uniquely determined the the
pair (url, name). This is in fact not the case. There can be
multiple cookies with the same name for a given URL. Can't we just
return an array of cookie objects?
== getAll ==
Do we really want to give all the cookies in the entire cookie store
to the script at once? That seems like a lot. Maybe we should use
some kind of iterator pattern.
== set ==
We'll probably want to include a URL in the set method to mirror the
URL in the get method. We might be able to get away without this for
now, but we might really want this in the future given that the other
ways of setting cookies (e.g., the via HTTP headers and
document.cookie) provide this URL as context.
== Secure cookies ==
In the Cookie data structure, it seems like we'd want a boolean for
the Secure attribute. You might looks at
<https://developer.mozilla.org/en/nsICookieManager2> as an interesting
point of comparison to see if you missed anything else.
== Cookie paths ==
Why does the path attribute default to "/" ? On the wire, the path
defaults to the default-path value specified in
<http://tools.ietf.org/html/draft-ietf-httpstate-cookie>.
== Cookie domain ==
How do you intend to distinguish between host-only cookies and domain
cookies? One approach is to use a leading "." in the domain field of
the cookie data structure. Another approach is to use a separate
boolean flag. Either is probably fine, but your spec should be clear
about which you're using. To align with the Firefox API
<https://developer.mozilla.org/en/nsICookie>, we'd use a separate
boolean (which is probably best).
== Style issues ==
I'd call "expirationDate" either "expires" (to match the on-the-wire
syntax) or "expiry" (to match what this is called in the spec). Note
that Firefox uses both names for slight variations on this value (see
<https://developer.mozilla.org/en/nsICookie> and
<https://developer.mozilla.org/en/nsICookie2>).
== Deleting cookies ==
Is there an easy way to delete cookies with this API? That will
probably be a common use case, e.g., for cookie managers. It might be
a good idea to provide a specific delete method.
== Blocking cookies ==
Currently, there's no way to build a race-free cookie blocker with
this API. That might just be a limitation of the architecture,
however, because a race-free cookie blocker would need to get result
synchronously.
On Wed, Feb 24, 2010 at 3:53 PM, Cynthia Lau <cind...@google.com> wrote:
> Hi Adam,
> Thanks for the comments and the link to the IETF document; that definitely
> helped me wrap my head around the potential edge cases. More comments
> inline.
Glad that was helpful.
> On Mon, Feb 22, 2010 at 10:01 PM, Adam Barth <aba...@chromium.org> wrote:
>>
>> At a high level, this looks good. Detailed comments below.
>>
>> == Permissions ==
>>
>> How does this API interact with permissions in the manifest? Clearly,
>> an extension would need to request access to the cookie API. It would
>> be nice if we restricted access to only those cookies for the origins
>> in the extension's permission.
>
> I agree that a "cookies" permissions item could be nice. Restricting cookie
> access to specific origins would also probably add safety, but would remove
> the possibility of a Chrome Extension that could enumerate all the existing
> cookies for the user to provide some sort of cookie management
> functionality. I personally don't need this total cookie visibility for my
> own extension work, but it seemed like a nice-to-have. Does it compromise
> security too much in your opinion?
Keep in mind that an extension can ask for http://* and https://*, so
an extension author can get access to all the cookies if he/she is
writing a cookie manager. I think it's important for security to
restrict cookie access according to the extensions permissions because
cookies are often the most confidential information web sites have.
>> == Cookie Names ==
>>
>> You seem to be assuming that a cookie is uniquely determined the the
>> pair (url, name). This is in fact not the case. There can be
>> multiple cookies with the same name for a given URL. Can't we just
>> return an array of cookie objects?
>
> Okay, I wasn't aware of that. I can return an array of cookies, but then
> this API essentially becomes the same as getAll(), aside from domain and
> name being optional in getAll(). Perhaps I can just consolidate the two,
> allowing get() to optionally not provide a name (thus returning all cookies
> for the given domain).
Based on some feedback on the whatwg list from some YUI developers, it
looks like developers commonly want to retrieve a single cookie by
name. Maybe we should just return the first cookie that matches the
supplied name. That will do what the developer wants in the common
case. (Note that multiple cookies with the same name are rare.)
>> == getAll ==
>>
>> Do we really want to give all the cookies in the entire cookie store
>> to the script at once? That seems like a lot. Maybe we should use
>> some kind of iterator pattern.
>
> I guess this discussion depends on whether we decide to restrict cookie
> access to a specific list of allowed hosts in the manifest permissions.
>
> Assuming we don't, then as one possible solution, I could add an API that
> returns a list of all the existing cookie domains, and let the API user call
> get() on each of these domains.
> If that's still too extensive, I suppose we could introduce some sort of
> iterator pattern; it would need to define some definitive ordering of
> cookies (perhaps a single iterator location providing access to a single
> domain string that exists in the cookie store?), and would need to be able
> to handle changes to the cookie store happening during iteration.
> I don't see any precedents for iterators in the existing Chrome Ext APIs;
> would this work best as a user-provided callback that is invoked
> automatically on each iteration (perhaps providing a return value indicating
> whether to continue or end the iteration)? This seems to match the current
> API design reasonably well. Alternatively some sort of handle (or even a
> domain string itself) could represent a position in the iteration. I am
> open to suggestions here.
We should get some feedback from Peter on this point. Peter, do you
have a sense for how large the cookie store is? Is it reasonable to
return the entire cookie store at once via an extension API?
Another thought on the getAll API is that we could take a Cookie
object as the cookeInfo parameter. The API could then return all the
cookies that match whatever properties are defined on that object.
For example, that would let the developer filter by domain.
>> == Secure cookies ==
>>
>> In the Cookie data structure, it seems like we'd want a boolean for
>> the Secure attribute. You might looks at
>> <https://developer.mozilla.org/en/nsICookieManager2> as an interesting
>> point of comparison to see if you missed anything else.
>>
> Done. The link you provided has a separate boolean called 'aIsSession' if
> the cookie is for the current session only. I had this flag implicitly
> indicated by the existence or absence of the expiry property. Is it worth
> having an explicit bool for this?
I don't think we need an extra bool for this property.
> Also, the nslCookie2 class has creationTime and lastAccessed fields. I
> wonder whether this is useful as part of the API or if it's overkill at this
> time.
They're probably not necessary at this time. We have them internally.
I guess they might be useful, but it seems like extra complexity that
we might not need.
Adam
(reposting from the correct email addr)
On Thu, Feb 25, 2010 at 12:53 AM, Cynthia Lau <cind...@google.com> wrote:
>> == Blocking cookies ==
>>
>> Currently, there's no way to build a race-free cookie blocker with
>> this API. That might just be a limitation of the architecture,
>> however, because a race-free cookie blocker would need to get result
>> synchronously.
>>
>
> I'll wait for Darin and Jochen to weigh in on this idea.
I'm thinking about ways to ask the user about what to do with a cookie
without blocking the browser. That requires some way to defer blocking
decisions. However, this is still just a rough idea...
As far as I understood this proposal, it's point is more about
observing cookies, and handling them in a similar way as in-page
javascript can do for its own cookies. I'm not sure whether it's a
good idea to also include network level cookie blocking to this api.
best
-jochen
I think that this is a very useful API would like to see it! My one
concern is that the CookieStore information is a bit vague, and I'm
not sure how it's directly applicable as it stands.
best
-jochen
Keep in mind that an extension can ask for http://* and https://*, so
an extension author can get access to all the cookies if he/she is
writing a cookie manager. I think it's important for security to
restrict cookie access according to the extensions permissions because
cookies are often the most confidential information web sites have.
>> == Cookie Names ==Based on some feedback on the whatwg list from some YUI developers, it
>>
>> You seem to be assuming that a cookie is uniquely determined the the
>> pair (url, name). This is in fact not the case. There can be
>> multiple cookies with the same name for a given URL. Can't we just
>> return an array of cookie objects?
>
> Okay, I wasn't aware of that. I can return an array of cookies, but then
> this API essentially becomes the same as getAll(), aside from domain and
> name being optional in getAll(). Perhaps I can just consolidate the two,
> allowing get() to optionally not provide a name (thus returning all cookies
> for the given domain).
looks like developers commonly want to retrieve a single cookie by
name. Maybe we should just return the first cookie that matches the
supplied name. That will do what the developer wants in the common
case. (Note that multiple cookies with the same name are rare.)
That section of the spec is still under debate. What I would say is
that the API should return the first cookie with that name that would
appear in the Cookie header. That way it's the CookieMonster's
problem to figure out the proper ordering.
I like the idea of having to explicitly ask for HttpOnly cookies. You
seem to be considering the right factors here. I think you should use
your best judgement as the designer of the API.
Adam
Adam
--
-j
-j