CHIPS and the `Path` attribute
DCtheTall opened this issue · comments
When CHIPS was initially proposed, we required that the __Host-
name prefix be included. This prefix is already part of the cookie RFC and requires the following:
- The cookie is set with the
Secure
attribute. - The cookie is set without the
Domain
attribute. - The cookie is set with the
Path=/
attribute.
Due to concerns raised in #30, Chrome removed the __Host-
name prefix requirement from CHIPS. Likewise, due to concerns raised in #39 and #43 we decided to remove the no-Domain
requirement as well.
Given we have diverged the Partitioned
behavior from the __Host-
prefix behavior, I am opening this issue to prompt a discussion on whether we should continue to include or do away with the Path=/
attribute as well.
Recap of the points from yesterday's PrivacyCG call:
- Reps from Firefox think that the
Path=/
requirement is not necessary. - Reps from Firefox and Edge were asking about the
Secure
requirement as well.- Chrome replied that there is a security and privacy benefit to not letting partitioned cookies be sent over plaintext.
- Baycloud mentioned some sites use the
Path
attribute in cookies to separate out cookies set in different countries to satisfy different language or legal requirements.
I think we made good progress, and I think it is reasonable to say there is alignment that the Path=/
requirement is not necessary for CHIPS and may make adoption more difficult.
Closing this now that #49 has landed.