Cookie-related status updates.
Mike West <mkwst@google.com> Tue, 26 May 2020 14:22 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99ABD3A0BE7 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 26 May 2020 07:22:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.249
X-Spam-Level:
X-Spam-Status: No, score=-10.249 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TGM4LNOSW1c8 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 26 May 2020 07:22:36 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BDF133A0BE4 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 26 May 2020 07:22:36 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1jdaQZ-0000aI-Uc for ietf-http-wg-dist@listhub.w3.org; Tue, 26 May 2020 14:19:36 +0000
Resent-Date: Tue, 26 May 2020 14:19:35 +0000
Resent-Message-Id: <E1jdaQZ-0000aI-Uc@lyra.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <mkwst@google.com>) id 1jdaQY-0000ZS-0i for ietf-http-wg@listhub.w3.org; Tue, 26 May 2020 14:19:34 +0000
Received: from mail-lf1-x12c.google.com ([2a00:1450:4864:20::12c]) by titan.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <mkwst@google.com>) id 1jdaQW-00014P-6j for ietf-http-wg@w3.org; Tue, 26 May 2020 14:19:33 +0000
Received: by mail-lf1-x12c.google.com with SMTP id 202so12414495lfe.5 for <ietf-http-wg@w3.org>; Tue, 26 May 2020 07:19:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=7JuVsDSom9mry/+LuddVFMbq5Ci+jcC7Tfm1S2ntTHk=; b=BorNZqZQroG0Ya8QRmHYOfplxF0z7L9F3GGT2wl+tJ9VLD9Cxze43lFais0MizTIFq nqhEBLZW1sANHQwu5t/RUZlUlzp3HzcORrywG03ImDCDSs37otUOk5R5/t9H6F2kWO// HfGH2yC/bJST1CgAJO5LTYEqecr2VTyqzrkb0RNmBtapyJsyjskRLW/9GgdAo0iG7BVB oKPLLVHH4Mv0tGm+xDmwag7eUgsj1pTk7/Ru677snH3xFKi06Vo5Ier7MxMImHO/+Cd4 sxEbb8hhl4I5Beuv6sv+hKnOLPkj6poWhzNIj8cW8g+R1yHwyqITKim/KoRC0YbedLIE JaUw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=7JuVsDSom9mry/+LuddVFMbq5Ci+jcC7Tfm1S2ntTHk=; b=gSwuiqK3KYj2q7RcdGhopytH0kayljoGjreFBcQMGpUL3gzGrbTaSXcsNfoS3AXe5m 2BvJ5Ub6dxQ304ze4CBAF4aRDhPV/wUq8W4Rc06w9eJGi299P1T5ShxWbM/k3vRQtwyb pf8XQrsgY1HidNLVCY4Yw93PTfHTRUCDrhE1w6TmRLnvHSVwKQJU/KeVbsC6DS23VrwG 8Lc0eWHsnaHYhxRfv/ijX0Aqk6S4sgH7jhH3dKz3jbXLBrEcGMmTr2oASf6X1nkwY9wB sKgzz7mmO/6Mqsl4e8fIzYXs9yX8XxlZa/elbLMmXXOZVoagGB1m2/2MT0rCj/EcqPeJ hDHA==
X-Gm-Message-State: AOAM530rQhPG1C5wNgvjKvtqY9hHBi13oAFls7aNLXiIn/MZD7JhUoAc Th3Xgh2+cmHln/ni7mc7w59T2EUxJ5+Kct0//RuwCaF18FO8Tw==
X-Google-Smtp-Source: ABdhPJzk+4YTmGh+jcu1Y9fIyCtrqPbz7lPfpTonUe/mWRX5V4Pyj+A3cv46rqhwIjuwVPd25klSQroWiRwK0fDOosk=
X-Received: by 2002:ac2:4562:: with SMTP id k2mr641764lfm.5.1590502759715; Tue, 26 May 2020 07:19:19 -0700 (PDT)
MIME-Version: 1.0
From: Mike West <mkwst@google.com>
Date: Tue, 26 May 2020 16:19:08 +0200
Message-ID: <CAKXHy=fo1dZ_ZZybScPcmxHJQTF0krqvEDN64HbiEWwn+PZHSA@mail.gmail.com>
To: HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="000000000000023c0f05a68dc804"
Received-SPF: pass client-ip=2a00:1450:4864:20::12c; envelope-from=mkwst@google.com; helo=mail-lf1-x12c.google.com
X-W3C-Hub-Spam-Status: No, score=-24.6
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1jdaQW-00014P-6j ac1bc7b261749f09bfd51af7a1971e02
X-Original-To: ietf-http-wg@w3.org
Subject: Cookie-related status updates.
Archived-At: <https://www.w3.org/mid/CAKXHy=fo1dZ_ZZybScPcmxHJQTF0krqvEDN64HbiEWwn+PZHSA@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37712
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Hey folks! Following on from the HTTPWG meeting for which I did not prepare slides, here are some cookie-related status updates to flesh out the minutes: 1. RFC6265bis continues to plod forward. We're in the "fixing niggly issues" stage of things, and WPT has been quite helpful at giving us insight into the way different user agents treat cookies today (see https://github.com/httpwg/http-extensions/issues/1136). Some tests have been difficult to replicate in WPT (`Domain` attribute tests in particular), but I'm hopeful that we can produce tests that match our expectations. The majority of the outstanding issues that I'd like to fix are around the `SameSite` attribute, which needs some work ( https://github.com/httpwg/http-extensions/issues?q=is%3Aopen+label%3A6265bis+label%3Asamesite). Large outstanding issues like UTF-8 support seem (for example https://github.com/httpwg/http-extensions/issues/1073), but I am quite unlikely to spend time on them. If anyone is interested in poking at that particular bear, I would appreciate help! 2. Browsers continue to experiment with cookies' default behaviors: 2a. Chrome intends to continue working towards `SameSite=Lax` by default. We rolled this out at ~50% in stable, and rolled it back in early April due to some unexpected breakage at a particularly bad time ( https://blog.chromium.org/2020/04/temporarily-rolling-back-samesite.html). Our rollout is now holding at ~50% of non-release channels (canary, dev, beta), and we intend to try stable again, likely over the summer. 2b. Safari has begun blocking third-party cookies entirely ( https://webkit.org/blog/10218/full-third-party-cookie-blocking-and-more/), gating access on the Storage Access API. 2c. The -01 draft of "Incrementally Better Cookies" ( https://tools.ietf.org/html/draft-west-cookie-incrementalism) has some updates of interest to folks on this list. In particular, it specifies the proposals discussed in https://github.com/mikewest/scheming-cookies and https://github.com/sbingler/schemeful-same-site in a little more detail. In particular, I'd appreciate feedback on section 3.6 of that draft <https://tools.ietf.org/html/draft-west-cookie-incrementalism-01#section-3.6>, which aims to more reasonably define the notion of a "session" from a user agent's perspective (with, admittedly, a browser/HTML-specific view of the concepts a user agent might need to know about) Thanks! -mike
- Cookie-related status updates. Mike West
- Re: Cookie-related status updates. Daniel Veditz