[webkit-dev] Request for position: Cookie Expires/Max-Age attribute upper limit

Ari Chivukula arichiv at chromium.org
Wed Feb 23 09:10:29 PST 2022


Thanks! I wrote up your suggested edits here:
https://github.com/httpwg/http-extensions/pull/1980

~ Ari Chivukula (Their/There/They're)


On Tue, Jan 25, 2022 at 5:28 PM John Wilander <wilander at apple.com> wrote:

> Hi Ari!
>
> Apple WebKit and CFNetwork (HTTP stack for Apple ports of WebKit) support
> a 400-day max-age upper limit with some caveats.
>
> We think there should always be a limit (your case 1), that user agents
> should be free to use a lower or a higher limit, and that 400 days is a
> good recommended limit to put in the spec (your case 2 but softer).
>
> Some detailed feedback:
>
> We understand your ≈13 months analysis but wanted to point out that there
> are things called “annual” that can go a bit further than 13 months, for
> instance tax filing which can be done early one year, late the next, and
> result in a ≈440 day span.
>
> There are use cases for cookies outside of web browsers where no limit
> still makes sense. For instance machine-to-machine communication over HTTP.
> The spec may want to call that out.
>
>    Regards, John
>
>
> On Jan 19, 2022, at 8:12 AM, Ari Chivukula via webkit-dev <
> webkit-dev at lists.webkit.org> wrote:
>
> I'd like to get WebKit's position on:
> (1) Having an explicit upper limit for Cookie Expires/Max-Age attributes
> (2) Having an explicit upper limit for Cookie Expires/Max-Age attributes
> that's less than or equal to 400 days
>
>
> https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-expires-attribute-2
> https://github.com/httpwg/http-extensions/pull/1732
> https://github.com/mozilla/standards-positions/issues/592
> https://bugs.chromium.org/p/chromium/issues/detail?id=1264458
>
> The draft of rfc6265bis now contains an upper limit for Cookie
> Expires/Max-Age attributes. As written:
> `The user agent MUST limit the maximum value of the [Max-Age/Expiration]
> attribute. The limit MUST NOT be greater than 400 days (34560000 seconds)
> in duration. The RECOMMENDED limit is 400 days in duration, but the user
> agent MAY adjust the limit to be less. [Max-Age/Expiration] attributes that
> are greater than the limit MUST be reduced to the limit.`
>
> 400 days was chosen as a round number close to 13 months in duration. 13
> months was chosen to ensure that sites one visits roughly once a year
> (e.g., picking health insurance benefits) will continue to work.
>
> Safari is already partially compliant (has an upper age limit of 7 days
> when cookies are set  client side), while Firefox and Chrome both support
> cookies with expiration dates orders of magnitude longer than a millenia in
> the future.
>
> According to measurements in Chrome of all cookies set about 20% have an
> Expires/Max-Age further than 400 days in the future. Of that 20%: half
> target 2 years, a quarter target 10 years or more, and the remainder are
> spread over the rest of the range.
>
> ~ Ari Chivukula (Their/There/They're)
> _______________________________________________
> webkit-dev mailing list
> webkit-dev at lists.webkit.org
> https://lists.webkit.org/mailman/listinfo/webkit-dev
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20220223/cb4c5243/attachment.htm>


More information about the webkit-dev mailing list