It’s unfortunate that we have this mess. But couldn’t this have been avoided by defaulting to minimal access? Per Mozilla (https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies), if a cookie’s domain isn’t set, it defaults to the domain of the site excluding subdomains. If instead, this defaulted to the full domain, wouldn’t that resolve the issue? The harm isn’t in allowing people to create cookies that span sites, but in doing so accidentally, correct? The only concern is then tracking cookies. For this, a list of TLDs which it would be invalid to specify as the domain would cover most cases. Situations like github.io are rare enough that there could simply be some additional DNS property they set which makes it invalid to have a cookie at that domain level.
Similarly, the secure and http-only properties ought to default to true.
Since first-party cookies are used to track login state, you do want someway to opt into sharing them site wide for sites where forum.example.com and mail.example.com have the same concept of a user.
For this, a list of TLDs which it would be invalid to specify as the domain would cover most cases.
That is what the public suffix list is?
some additional DNS property they set which makes it invalid to have a cookie at that domain level
The problem with his approach is that registries would need to opt in, but in some cases registries can’t be bothered and, since it’s a security matter, the PSL maintainers (Mozilla) do it for them.
It’s unfortunate that we have this mess. But couldn’t this have been avoided by defaulting to minimal access? Per Mozilla (https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies), if a cookie’s domain isn’t set, it defaults to the domain of the site excluding subdomains. If instead, this defaulted to the full domain, wouldn’t that resolve the issue? The harm isn’t in allowing people to create cookies that span sites, but in doing so accidentally, correct? The only concern is then tracking cookies. For this, a list of TLDs which it would be invalid to specify as the domain would cover most cases. Situations like github.io are rare enough that there could simply be some additional DNS property they set which makes it invalid to have a cookie at that domain level.
Similarly, the secure and http-only properties ought to default to true.
Since first-party cookies are used to track login state, you do want someway to opt into sharing them site wide for sites where
forum.example.comandmail.example.comhave the same concept of a user.That is what the public suffix list is?
The problem with his approach is that registries would need to opt in, but in some cases registries can’t be bothered and, since it’s a security matter, the PSL maintainers (Mozilla) do it for them.