Cookie-related status updates.

Mike West <> Tue, 26 May 2020 14:22 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 99ABD3A0BE7 for <>; Tue, 26 May 2020 07:22:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.249
X-Spam-Status: No, score=-10.249 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id TGM4LNOSW1c8 for <>; Tue, 26 May 2020 07:22:36 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id BDF133A0BE4 for <>; Tue, 26 May 2020 07:22:36 -0700 (PDT)
Received: from lists by with local (Exim 4.92) (envelope-from <>) id 1jdaQZ-0000aI-Uc for; Tue, 26 May 2020 14:19:36 +0000
Resent-Date: Tue, 26 May 2020 14:19:35 +0000
Resent-Message-Id: <>
Received: from ([]) by with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <>) id 1jdaQY-0000ZS-0i for; Tue, 26 May 2020 14:19:34 +0000
Received: from ([2a00:1450:4864:20::12c]) by with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <>) id 1jdaQW-00014P-6j for; Tue, 26 May 2020 14:19:33 +0000
Received: by with SMTP id 202so12414495lfe.5 for <>; Tue, 26 May 2020 07:19:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=7JuVsDSom9mry/+LuddVFMbq5Ci+jcC7Tfm1S2ntTHk=; b=BorNZqZQroG0Ya8QRmHYOfplxF0z7L9F3GGT2wl+tJ9VLD9Cxze43lFais0MizTIFq nqhEBLZW1sANHQwu5t/RUZlUlzp3HzcORrywG03ImDCDSs37otUOk5R5/t9H6F2kWO// HfGH2yC/bJST1CgAJO5LTYEqecr2VTyqzrkb0RNmBtapyJsyjskRLW/9GgdAo0iG7BVB oKPLLVHH4Mv0tGm+xDmwag7eUgsj1pTk7/Ru677snH3xFKi06Vo5Ier7MxMImHO/+Cd4 sxEbb8hhl4I5Beuv6sv+hKnOLPkj6poWhzNIj8cW8g+R1yHwyqITKim/KoRC0YbedLIE JaUw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=7JuVsDSom9mry/+LuddVFMbq5Ci+jcC7Tfm1S2ntTHk=; b=gSwuiqK3KYj2q7RcdGhopytH0kayljoGjreFBcQMGpUL3gzGrbTaSXcsNfoS3AXe5m 2BvJ5Ub6dxQ304ze4CBAF4aRDhPV/wUq8W4Rc06w9eJGi299P1T5ShxWbM/k3vRQtwyb pf8XQrsgY1HidNLVCY4Yw93PTfHTRUCDrhE1w6TmRLnvHSVwKQJU/KeVbsC6DS23VrwG 8Lc0eWHsnaHYhxRfv/ijX0Aqk6S4sgH7jhH3dKz3jbXLBrEcGMmTr2oASf6X1nkwY9wB sKgzz7mmO/6Mqsl4e8fIzYXs9yX8XxlZa/elbLMmXXOZVoagGB1m2/2MT0rCj/EcqPeJ hDHA==
X-Gm-Message-State: AOAM530rQhPG1C5wNgvjKvtqY9hHBi13oAFls7aNLXiIn/MZD7JhUoAc Th3Xgh2+cmHln/ni7mc7w59T2EUxJ5+Kct0//RuwCaF18FO8Tw==
X-Google-Smtp-Source: ABdhPJzk+4YTmGh+jcu1Y9fIyCtrqPbz7lPfpTonUe/mWRX5V4Pyj+A3cv46rqhwIjuwVPd25klSQroWiRwK0fDOosk=
X-Received: by 2002:ac2:4562:: with SMTP id k2mr641764lfm.5.1590502759715; Tue, 26 May 2020 07:19:19 -0700 (PDT)
MIME-Version: 1.0
From: Mike West <>
Date: Tue, 26 May 2020 16:19:08 +0200
Message-ID: <>
To: HTTP Working Group <>
Content-Type: multipart/alternative; boundary="000000000000023c0f05a68dc804"
Received-SPF: pass client-ip=2a00:1450:4864:20::12c;;
X-W3C-Hub-Spam-Status: No, score=-24.6
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: 1jdaQW-00014P-6j ac1bc7b261749f09bfd51af7a1971e02
Subject: Cookie-related status updates.
Archived-At: <>
X-Mailing-List: <> archive/latest/37712
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>

Hey folks!

Following on from the HTTPWG meeting for which I did not prepare slides,
here are some cookie-related status updates to flesh out the minutes:

1.  RFC6265bis continues to plod forward. We're in the "fixing niggly
issues" stage of things, and WPT has been quite helpful at giving us
insight into the way different user agents treat cookies today (see Some tests have
been difficult to replicate in WPT (`Domain` attribute tests in
particular), but I'm hopeful that we can produce tests that match our
expectations. The majority of the outstanding issues that I'd like to fix
are around the `SameSite` attribute, which needs some work (
Large outstanding issues like UTF-8 support seem (for example, but I am quite
unlikely to spend time on them. If anyone is interested in poking at that
particular bear, I would appreciate help!

2.  Browsers continue to experiment with cookies' default behaviors:

    2a. Chrome intends to continue working towards `SameSite=Lax` by
default. We rolled this out at ~50% in stable, and rolled it back in early
April due to some unexpected breakage at a particularly bad time (
Our rollout is now holding at ~50% of non-release channels (canary, dev,
beta), and we intend to try stable again, likely over the summer.

    2b. Safari has begun blocking third-party cookies entirely (,
gating access on the Storage Access API.

    2c. The -01 draft of "Incrementally Better Cookies" ( has some
updates of interest to folks on this list. In particular, it specifies the
proposals discussed in and in a little more detail.

    In particular, I'd appreciate feedback on section 3.6 of that draft
which aims to more reasonably define the notion of a "session" from a user
agent's perspective (with, admittedly, a browser/HTML-specific view of the
concepts a user agent might need to know about)