[Webkit-unassigned] [Bug 219426] What is the point of specifying a cookie's maximum age when ITP disregards it anyway?
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Dec 2 21:36:57 PST 2020
https://bugs.webkit.org/show_bug.cgi?id=219426
--- Comment #3 from John Wilander <wilander at apple.com> ---
(In reply to vpxxcucw from comment #2)
> Thanks for the reply.
>
> Personally, I don't agree with the conclusion derived from the understanding
> that user agents act on behalf of users: that user agents are given carte
> blanche to do what they want.
>
> A very simple use-case is when after logging into a website, the user has
> the option of having his login remembered for the next 30 days (very common
> scenario in websites). If the user *does* want this benefit, he is actually
> denied this benefit by ITP.
Login cookies are typically set in regular server responses which are not capped. In addition, login cookies should be set HttpOnly for security reasons which means they can’t be set through document.cookie at all.
> To a layperson, if the website offers to remember his state for more than 7
> days but he doesn't get it because ITP prevents it, he is more likely to
> blame the website rather than the browser.
People who are not experts in web technologies are exactly the ones who need their user agent to help them stay safe on the web by default. That’s why we build privacy features such as ITP.
> There could be other use cases beyond remembering a user's login that calls
> for a longer-than-7-day cookie expiry.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20201203/07ebb831/attachment.htm>
More information about the webkit-unassigned
mailing list