On Fri, Jan 25, 2019 at 11:55 PM Ehsan Akhgari <ehsan.akhg...@gmail.com> wrote:
> On Fri, Jan 25, 2019 at 2:51 PM Daniel Veditz <dved...@mozilla.com> wrote: > >> >> Your description equating cookies and storage within a document lifetime >> makes sense. Is this intended to also apply to network requests? The >> first-party document already has no access to 3rd party cookies so it >> shouldn't matter at that level if Necko's rules change "live". If I'm on >> twitter/facebook (which make constant background requests) and I clear my >> entire cookie jar those documents are going to break. If I just tossed all >> my cookies that's what I want! Discovering that I'm still logged into those >> sites would be disturbing. Similarly, if I flip the "block 3rd-party >> cookies" pref I'm going to react negatively if I still see tracker cookies >> showing up just because I've left an active page open somewhere. >> > > Cookies have been dynamic and racey since the dawn of time, both at the > HTTP layer and in their reflection in DOM (document.cookie). Clearing your > cookies isn't something that is changed by this proposal. I'm not too sure > how Andrea was planning to handle cookie policy at the Necko layer but we > have a lot of flexibility here and pages also can probably tolerate dynamic > changes to document.cookie. I *think* handling the cookie policy globally > at the Necko layer is probably easier but I'm curious to know Andrea's > thoughts. > As Ehsan says, I don't want to change how we cleanup cookies but only how we expose cookie policy and how to treat cookie permissions. About the implementation, I would store the current cookie policy and cookie permission into the nsILoadInfo object of a document/subdocument nsIChannel. This information will be used in nsCookieService, document.cookies() getter/setter and propagated to any storage/communication API as described in this email thread (from BroadcastChannel to localStorage). I also would audit any cookie-permission check and any cookie-policy preference getter call. In this way, when the cookie behavior or a cookie permission changes, the document will not be affected because it has its own 'copy' of the previous values. We also need to improve the UI to communicate the the changes will apply at the next reload of the current tabs. _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
