Thanks! I wrote up your suggested edits here: https://github.com/httpwg/http-extensions/pull/1980
~ Ari Chivukula (Their/There/They're) On Tue, Jan 25, 2022 at 5:28 PM John Wilander <wilan...@apple.com> wrote: > Hi Ari! > > Apple WebKit and CFNetwork (HTTP stack for Apple ports of WebKit) support > a 400-day max-age upper limit with some caveats. > > We think there should always be a limit (your case 1), that user agents > should be free to use a lower or a higher limit, and that 400 days is a > good recommended limit to put in the spec (your case 2 but softer). > > Some detailed feedback: > > We understand your ≈13 months analysis but wanted to point out that there > are things called “annual” that can go a bit further than 13 months, for > instance tax filing which can be done early one year, late the next, and > result in a ≈440 day span. > > There are use cases for cookies outside of web browsers where no limit > still makes sense. For instance machine-to-machine communication over HTTP. > The spec may want to call that out. > > Regards, John > > > On Jan 19, 2022, at 8:12 AM, Ari Chivukula via webkit-dev < > webkit-dev@lists.webkit.org> wrote: > > I'd like to get WebKit's position on: > (1) Having an explicit upper limit for Cookie Expires/Max-Age attributes > (2) Having an explicit upper limit for Cookie Expires/Max-Age attributes > that's less than or equal to 400 days > > > https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-expires-attribute-2 > https://github.com/httpwg/http-extensions/pull/1732 > https://github.com/mozilla/standards-positions/issues/592 > https://bugs.chromium.org/p/chromium/issues/detail?id=1264458 > > The draft of rfc6265bis now contains an upper limit for Cookie > Expires/Max-Age attributes. As written: > `The user agent MUST limit the maximum value of the [Max-Age/Expiration] > attribute. The limit MUST NOT be greater than 400 days (34560000 seconds) > in duration. The RECOMMENDED limit is 400 days in duration, but the user > agent MAY adjust the limit to be less. [Max-Age/Expiration] attributes that > are greater than the limit MUST be reduced to the limit.` > > 400 days was chosen as a round number close to 13 months in duration. 13 > months was chosen to ensure that sites one visits roughly once a year > (e.g., picking health insurance benefits) will continue to work. > > Safari is already partially compliant (has an upper age limit of 7 days > when cookies are set client side), while Firefox and Chrome both support > cookies with expiration dates orders of magnitude longer than a millenia in > the future. > > According to measurements in Chrome of all cookies set about 20% have an > Expires/Max-Age further than 400 days in the future. Of that 20%: half > target 2 years, a quarter target 10 years or more, and the remainder are > spread over the rest of the range. > > ~ Ari Chivukula (Their/There/They're) > _______________________________________________ > webkit-dev mailing list > webkit-dev@lists.webkit.org > https://lists.webkit.org/mailman/listinfo/webkit-dev > > >
_______________________________________________ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev