[Webkit-unassigned] [Bug 219426] New: What is the point of specifying a cookie's maximum age when ITP disregards it anyway?
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Dec 2 02:36:51 PST 2020
https://bugs.webkit.org/show_bug.cgi?id=219426
Bug ID: 219426
Summary: What is the point of specifying a cookie's maximum age
when ITP disregards it anyway?
Product: WebKit
Version: Safari 14
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: WebKit API
Assignee: webkit-unassigned at lists.webkit.org
Reporter: vpxxcucw at sharklasers.com
ITP always sets the maximum age of cookies that are set in the first-party context to be 7 days. A website could have a valid reason for setting a longer maximum age, e.g. 30 days, but this will be ignored by ITP.
This goes against RFC 2965 section 3.2.2:
Max-Age=value
OPTIONAL. The value of the Max-Age attribute is delta-seconds,
the lifetime of the cookie in seconds, a decimal non-negative
integer. To handle cached cookies correctly, a client SHOULD
calculate the age of the cookie according to the age calculation
rules in the HTTP/1.1 specification [RFC2616]. When the age is
greater than delta-seconds seconds, the client SHOULD discard the
cookie. A value of zero means the cookie SHOULD be discarded
immediately.
The implication is that when a cookie has been set with a maximum age, then the user agent should respect it and expire the cookie according to that age. The user agent should not be setting expiries willy-nilly that disregards established specifications.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20201202/5bb90180/attachment.htm>
More information about the webkit-unassigned
mailing list