-
Notifications
You must be signed in to change notification settings - Fork 143
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cookie removal algorithm #494
Comments
Sorry I didn't see this when you first filed it.
I'd rephrase this a bit. :) The relevant claim here is less that I prefer I recognize that other vendors are unlikely to ship the attribute. I'm very open to reviewing the results of y'all's experimentation to see if the results in other browsers show that we're making the wrong choice in Chrome, but my (biased) opinion at the moment is that |
I'm circulating this with some coworkers at Apple to gather input. |
This seems like it's out of scope for 6265bis; it wasn't in the list of proposals we accepted, and isn't a low-level interop / clarification issue. I'd suggest we punt this until a future revision. |
This foremost relates to the arbitrary limits that cookie stores place on cookies, both globally and per-domain.
RFC 6265 says the following:
We did some investigation into this and discovered some problems with this process as implemented. Browsers tend to remove a fixed number of cookies once they hit storage limits. From what I can tell, browsers sort by last-access, but remove up to a fixed number of cookies.
This is bad for the integrity of storage. Retaining some, but not all cookies is a great recipe for getting incomplete state. That can be a security exposure. That was part of what made some of the attacks in this paper possible and motivated the the leave-secure-cookies-alone fix.
When we looked at this we first concluded on the following algorithm:
foo.example.com
, remove(!foo).example.com
cookies, but not example.com cookies).foo.example.com/foo
, removefoo.example.com/(!foo)
).foo.example.com
, remove anything ending inexample.com
).On review, I think that we can continue to use last-access date to drive this, with a much smaller change. I'm proposing two small changes:
Require that last-access is set to the same value for every accessed cookie when constructing the Cookie header field (the text currently says the "current date and time".
Require that when an unexpired cookie is removed, require that all cookies that share a domain and have the same (or older) last-access date also be removed.
This ensures that if a site receives incomplete cookie state, then it is at least an incomplete state that might reasonably have been created by an adjacent site. For example, say that
foo.example.com
installs and depends on cookies atexample.com
, then ifbar.example.com
triggers deletion, then it will remove onlyfoo.example.com
cookies. It can't be perfect because there is a risk thatexample.com
cookies are actually specific tofoo.example.com
and have an interdependency onfoo.example.com
cookies, but that's a risk we're already exposed to.This can result in the same results as the algorithm I described above, but it also might allow for more granular removal. For instance, if
1.example.com
through9.example.com
are visited in that order and9.example.com
causes cookies to exceed the limit, then cookies will be removed for1.example.com
first The algorithm above would cause cookies for 1 through 8 to be removed at once, which is more severe than we need.As the people driving this no longer work for Mozilla, I thought that I would record our conclusions. I don't know if we have the resources to continue to investigate implementation, but I'm happy to create a PR for the relevant section if the WG thinks that this is a reasonable change.
I understand that @mikewest still prefers cookie priorities, but no one at Mozilla has any interest in that solution and it didn't seem to get any traction when we discussed it before.
The text was updated successfully, but these errors were encountered: