> *Summary*: CookieStore API is an asynchronous Javascript cookies API for documents and service workers. Together with WebKit, we agreed to ship a subset of the originally proposed API to expose only the cookie details already available through `document.cookie`.
It's not clear whether you plan to expose this to service workers. Here you've described it as an API service workers can use; below you only say you're not supporting the events. But but exposing cookies to ServiceWorker would contradict "only the cookie details already available through `document.cookie`" since service workers don't have access to that. On Tue, Sep 17, 2024 at 12:18 AM Daniel Veditz <[email protected]> wrote: > I'm very glad we're doing this. `document.cookie` is a horrible interface > > We plan to land a prototype that diverges from the official spec by the >> following points: >> > > I strenuously object to calling it an "official spec". It is a WICG > proposal from a single vendor and not currently on any standards track. > > 1. Only cookie names and values are shared via >> `CookieStore.get()`/`getAll()` methods. In this way, we do not expose more >> than what `document.cookie` already offers. >> > > Boooo! A major contributor to cookie-based attacks is the fact that > duplicate names can be injected at different scopes, and documents/sites > have no way to distinguish a real from injected cookie. The unique key for > a cookie is name+domain+path and if we don't return all of those we have > not helped the status quo much at all. If all you're allowed to know is > 1/3rd of a cookie's key, the only secure choice is `__Host-` prefixed > cookies (which have fixed values for domain and path). But those aren't > always appropriate. > > The domain values can only be the same or a subset of the current site's > domain. The site already knows those -- you can't learn any secret sibling > domain names. Similarly, the path values have to be a subset of the current > URLs path or the cookie wouldn't have been served, so the currently page > doesn't learn anything about sibling/parent/descendent sites from that, > either. If there's a cookie that you didn't set then you could maybe learn > things from the name and value, but that's already true for > `document.cookie`. > > Are you only supporting get() and getAll(), or do you also plan to support > set() and delete()? > > 3. Following up on the previous point, `CookieStore.onchange` event >> handler is also exposed to ServiceWorkers. >> > > Meaning we're not going to support CookieStore.onchange, right ? > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CADYDTCAdvHa%2BwZGAGh0%3DzF%3DNdBZBvOWP62Vm43dhbt%2Bt4E7cVQ%40mail.gmail.com.
