Proposal: Optional "Purpose" Attribute for Set-Cookie Header
João Penteado <joao@penteado.me> Sat, 24 August 2024 18:08 UTC
Received: by ietfa.amsl.com (Postfix) id 58305C14F68D; Sat, 24 Aug 2024 11:08:05 -0700 (PDT)
Delivered-To: ietfarch-httpbisa-archive-bis2juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57563C14F616 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sat, 24 Aug 2024 11:08:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.858
X-Spam-Level:
X-Spam-Status: No, score=-2.858 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, MAILING_LIST_MULTI=-1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=w3.org header.b="UuFFuLjI"; dkim=pass (2048-bit key) header.d=w3.org header.b="OnaALZf6"; dkim=pass (2048-bit key) header.d=penteado.me header.b="V7TVn/Rm"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UsoTQlLtaigG for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sat, 24 Aug 2024 11:08:01 -0700 (PDT)
Received: from mab.w3.org (mab.w3.org [IPv6:2600:1f18:7d7a:2700:d091:4b25:8566:8113]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 21CB0C14F60D for <httpbisa-archive-bis2Juki@ietf.org>; Sat, 24 Aug 2024 11:08:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Subject:Content-Type:To:Message-ID:Date:From:MIME-Version:Cc:Reply-To :In-Reply-To:References; bh=q3/RbidaC/6N6Wm11NIf12v0qDOkCjc6/nJZ/KZkO9s=; b=U uFFuLjIJOILCkMjNto+vYmqiNV9WlWf+ydmmmiF51TBWpXVWK91nP9tySRKD5vD1zvF9rCgPPzoOD GQoObfptG7oHtrVd1G6NHDjn3VqZZameCHQ/Vw2BSFVNnzFd/qDAALQbVHmKFSgFxzpPJxdZXPHHS JC974VUMymxpjo/8K8ZzLmEu+AGiW4oRAY7gDdu6DO/Ppw10wU4K/vhDw27GwvuqK7+YL4dnQqr2J K3mlCiKXqmAEnFkqTAJzh8Bkbw4+5v5en0x29JBWVRaME+zM5cx9vKa0O8ue/zl2/9EqV6szlxiK8 g159tubydhjBvVx4XmDAqCYLFkckH/YQQ==;
Received: from lists by mab.w3.org with local (Exim 4.96) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1shvAF-00ECJI-2Z for ietf-http-wg-dist@listhub.w3.org; Sat, 24 Aug 2024 18:07:03 +0000
Resent-Date: Sat, 24 Aug 2024 18:07:03 +0000
Resent-Message-Id: <E1shvAF-00ECJI-2Z@mab.w3.org>
Received: from ip-10-0-0-224.ec2.internal ([10.0.0.224] helo=puck.w3.org) by mab.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <joao@penteado.me>) id 1shvAD-00ECIF-23 for ietf-http-wg@listhub.w3.internal; Sat, 24 Aug 2024 18:07:01 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Content-Type:To:Subject:Message-ID:Date:From:MIME-Version:Cc:Reply-To :In-Reply-To:References; bh=q3/RbidaC/6N6Wm11NIf12v0qDOkCjc6/nJZ/KZkO9s=; t=1724522821; x=1725386821; b=OnaALZf6esN4reCOogPsuA+UMXTpQwuiynn2zTQ/frecpv2 QmAle6uV6iOBFF53v0LcMVBS6xOlL8/SqZ/Cd/hUCxeRiCKYJ+rxJT9JrTJM++KgPUIA+VGayQmtk kuuhTn2vT5+zdHmU8Qez4Y3CHALs2MGP9Mz4YPsWWc+oXJawN04yyq+E2caBX/oJ6d70yB/O24nLK 3ALyp4M1uadlQjAY7+hvBvS3xArmZgCH09oYyB5mrJg9xny06ega0/tXk/XebHb+zXwC6CgYIeRMB dy1+x87RPJZjynXkGyvr7N0C9GqzRzvAz/E1r/w+b7OShUUJjqoDVPmJ51UZUpbg==;
Received-SPF: pass (puck.w3.org: domain of penteado.me designates 2607:f8b0:4864:20::112f as permitted sender) client-ip=2607:f8b0:4864:20::112f; envelope-from=joao@penteado.me; helo=mail-yw1-x112f.google.com;
Received: from mail-yw1-x112f.google.com ([2607:f8b0:4864:20::112f]) by puck.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from <joao@penteado.me>) id 1shvAD-00F4rZ-08 for ietf-http-wg@w3.org; Sat, 24 Aug 2024 18:07:01 +0000
Received: by mail-yw1-x112f.google.com with SMTP id 00721157ae682-6c0e22218d0so33290677b3.0 for <ietf-http-wg@w3.org>; Sat, 24 Aug 2024 11:07:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=penteado.me; s=google; t=1724522817; x=1725127617; darn=w3.org; h=content-transfer-encoding:to:subject:message-id:date:from :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=q3/RbidaC/6N6Wm11NIf12v0qDOkCjc6/nJZ/KZkO9s=; b=V7TVn/Rm+9I/uQw2e/SJoFcIw7ye2V0UEdFgPA3sKAObyZlo+MUwWNFgrMdVP205FM TE3Gov9nQEtAdBumfirTAIrLZGy76FSYJvRQB5+NB/Ee1suwPKLfwmhgb+AmNBxWSwYB 3yEoHOVPU7KnPscBt6bBRRmzKsTnLfmRmKWDaUzxUy6EjyI7/o6d+XRKcqtdWM9fW342 SHoWCeHvIPNSfySnK8BizurExhs/MGqQlOBK9+U/wbulkLoh/Nd/GrIhnHM7tyb5OSS3 pNniRMC9REtXRV3asOMBNqH1C/zzFkzLT6FPhmGUreEwWYR0E63CVfkYI3mZQKtgOwvZ ckMw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724522817; x=1725127617; h=content-transfer-encoding:to:subject:message-id:date:from :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=q3/RbidaC/6N6Wm11NIf12v0qDOkCjc6/nJZ/KZkO9s=; b=dT6IOlvMd/78XrtNn2HK4l3CsJLegn4pReh2RiRRGF/dTuMVnHN2GpqCL+5QqZ7IKH /fIpzjrkppItLEdaF256bvnLkr658EHQ7WjWqvX+fHEJXz/gOoOTA+FJHCrl6eMXei7i mvY3oRLD8TWCb4CrS2jCQludt4w5aJQWGzh/A2fAYCIIEGKhs7JxKrM964KPEG0Qov1B r8s5mOa2IrAwj46/ZGhF0KarYQyNpHkMbitPj8IWyxiS7TVnfazaTslVtLbsa4R8QbGp GZeBr9xvodpIzdfGBKOOD4EePSc3GVqZhyMinEtBpUIJGEz3vCybEvA5LvzvsI7n8uHK ucCw==
X-Gm-Message-State: AOJu0YwGZgReeq9dQXadcVCa4UKk7LgcYZQNSHW2eG8EgTQQRVi/0vgG /ijI6bZoiJTvm31xtNbUHDab9oUH43/qsKafuYo/TJpcB20FVR4H+uID43kZbt9yG+7Gx7vv4TO nUrswz7ArMLumhYGoTyEMvlYF2GL/wyqI4gZvxwn2MOZTly56hBBNvQ==
X-Google-Smtp-Source: AGHT+IGBG31iYFxctfqPfnoUk3I9BrWyHv/x+aPtrm3/XyVwdXCP9RWTpXqT7TRJAQ7rBwqgIBI8nPvW7UZQFfyqdZ8=
X-Received: by 2002:a05:690c:448c:b0:65f:8209:3ede with SMTP id 00721157ae682-6c62906569emr78137827b3.44.1724522817030; Sat, 24 Aug 2024 11:06:57 -0700 (PDT)
MIME-Version: 1.0
From: João Penteado <joao@penteado.me>
Date: Sun, 25 Aug 2024 03:06:46 +0900
Message-ID: <CACfd0dFXvK8EhHzabpu++xkTYdTL=zEro09LsSm4wo88N=heGg@mail.gmail.com>
To: ietf-http-wg@w3.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-W3C-Hub-DKIM-Status: validation passed: (address=joao@penteado.me domain=penteado.me), signature is good
X-W3C-Hub-Spam-Status: No, score=-4.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: puck.w3.org 1shvAD-00F4rZ-08 d416f815c4fea509dba9b4fe5f11201f
X-Original-To: ietf-http-wg@w3.org
Subject: Proposal: Optional "Purpose" Attribute for Set-Cookie Header
Archived-At: <https://www.w3.org/mid/CACfd0dFXvK8EhHzabpu++xkTYdTL=zEro09LsSm4wo88N=heGg@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/52236
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/email/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Hi all, I'd like to start a discussion about introducing a new optional "Purpose" (or a generic "Tag") attribute in the Set-Cookie header specification. The intended use case for this would be for servers to automatically signal to the client's browser the specific functionality provided by the cookie being set. IANA could maintain a registry of standardized purposes, such as "auth", "functional", "preferences", "analytics", "error-reporting", "marketing" and others. This could be implemented as follows: > Set-Cookie: id=1234567890; Purpose=auth The primary goal of this proposal is to alleviate the current UX issues caused by cookie consent pop-ups, which have become prevalent since the introduction of the GDPR and similar privacy regulations. Leaving aside the discussion about whether or not these pop-ups are actually required by different privacy legislations or if they were their intent in the first place, the fact is that many websites adopt this behavior nowadays and it is very frustrating. The idea is that users could set their cookie preferences at the browser level, potentially reducing the need for repetitive pop-up interactions. Of course, this proposal hinges on the assumption that servers would be willing to adopt this standard and honestly disclose a cookie's purpose. I believe this is a reasonable expectation for the following reasons: 1. Websites that implement cookie consent pop-ups are already disclosing the purpose of cookies, albeit with a suboptimal user experience. Misrepresentation could expose them to legal risks. The UX issues are not present in websites not implementing the pop-ups, so it wouldn't affect them anyway. 2. These websites also care about user experience, as it directly impacts brand perception, sales, and other business metrics. Given how widespread and obnoxious these pop-ups have become, I find it surprising that a similar proposal hasn't been widely adopted yet. If this idea has been previously discussed and dismissed, I would appreciate any references to those discussions, as I couldn't find them easily. I look forward to hearing what other folks in the industry think about this. Thanks, - João
- Proposal: Optional "Purpose" Attribute for Set-Co… João Penteado
- Re: Proposal: Optional "Purpose" Attribute for Se… Greg Wilkins
- Re: Proposal: Optional "Purpose" Attribute for Se… André Cedik
- Re: Proposal: Optional "Purpose" Attribute for Se… Rory Hewitt