[Webkit-unassigned] [Bug 175232] New: Resource Load Statistics: 5 second delay of prevalent site cookie purging causes cookie churn for domains expecting one-in-all-in behavior, with potentially drastic server-side resource impact

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Aug 4 17:23:59 PDT 2017 

https://bugs.webkit.org/show_bug.cgi?id=175232

            Bug ID: 175232
           Summary: Resource Load Statistics: 5 second delay of prevalent
                    site cookie purging causes cookie churn for domains
                    expecting one-in-all-in behavior, with potentially
                    drastic server-side resource impact
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: tstapleton at google.com
                CC: mkwst at chromium.org, wilander at apple.com

In the previous default “one-in-all-in” third party cookie blocking behavior, a website could somewhat deterministically detect if the browser was rejecting third party cookies by attempting to set a test cookie. If the test cookie was not returned on subsequent requests to the server, the website would have a signal to not attempt the setting of additional unnecessary cookies in the browser.

Because the current implementation of ITP purges cookies following a 5 second delay, the test cookie will often be sent on successive requests to the server. This is taken as a signal that the browser will accept cookies resulting in the allocation of storage and processing resources toward the creation of a more substantial cookie that subsequently goes unused. The churn created by this interaction will be non-trivial in terms of both server-side processing and storage.

For a domain that has no previous cookie in its jar, it seems more appropriate to apply the previous behavior of blocking the cookie from being set.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170805/85a58eec/attachment.html>

More information about the webkit-unassigned mailing list