I'm very glad we're doing this. `document.cookie` is a horrible interface We plan to land a prototype that diverges from the official spec by the > following points: >
I strenuously object to calling it an "official spec". It is a WICG proposal from a single vendor and not currently on any standards track. 1. Only cookie names and values are shared via > `CookieStore.get()`/`getAll()` methods. In this way, we do not expose more > than what `document.cookie` already offers. > Boooo! A major contributor to cookie-based attacks is the fact that duplicate names can be injected at different scopes, and documents/sites have no way to distinguish a real from injected cookie. The unique key for a cookie is name+domain+path and if we don't return all of those we have not helped the status quo much at all. If all you're allowed to know is 1/3rd of a cookie's key, the only secure choice is `__Host-` prefixed cookies (which have fixed values for domain and path). But those aren't always appropriate. The domain values can only be the same or a subset of the current site's domain. The site already knows those -- you can't learn any secret sibling domain names. Similarly, the path values have to be a subset of the current URLs path or the cookie wouldn't have been served, so the currently page doesn't learn anything about sibling/parent/descendent sites from that, either. If there's a cookie that you didn't set then you could maybe learn things from the name and value, but that's already true for `document.cookie`. Are you only supporting get() and getAll(), or do you also plan to support set() and delete()? 3. Following up on the previous point, `CookieStore.onchange` event handler > is also exposed to ServiceWorkers. > Meaning we're not going to support CookieStore.onchange, right ? -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CADYDTCDtV03G%2B%2BuhQajkNqUc4fUB4hpAf-Ry_NWX8p-rwaV0OA%40mail.gmail.com.
