|
client (environment settings object) |
|
-> Needs a "has cross-site ancestor bit" added |
|
|
|
|
|
Request |
|
(this should be its own algorithm similar to how |
|
we do Origin) |
|
|
|
1. Let _isSecure_ be false. |
|
1. If request's url's scheme is "https", then set _isSecure to true. |
|
1. If request's client's has cross-site ancestor is true, then [CHIPS?] |
|
1. If request's client's has cross-site ancestor is false or request's client's storage access is true: |
|
1. get cookies for request's url, ... |
|
1. End up with a ... |
|
Serialized Cookie header value |
|
|
|
-- Complicated cases? |
|
- redirect-tainted origin |
|
- for top-level we need to forward initiator origin somehow |
|
|
|
|
|
Response |
|
|
|
1. Let _cookies_ be << >>. |
|
1. For each _header_ of response's header list, whose _header_'s name is a byte-case-insensitive match for `set-cookie`: |
|
|
|
1. Let _cookie_ be the result of "set-cookie-parsing" _header_'s value. |
|
1. If cookie value is eligible given _cookie_ for _request_ returns true, then append _value_ to _cookies_. |
|
|
|
1. "Store" _cookies_ given ??? |
|
|
|
|
|
To determine if a cookie is eligible, given a _cookie_ and a _request_: |
|
|
|
1. If _request_'s client's has cross-site ancestor |
|
is true and _request_'s client's storage access |
|
is false, then return [only allow if CHIPS]. |
|
2. |
|
|
|
|
|
Cookie processing |
|
|
|
Cookie or failure "parse a cookie" (byte sequence headerValue, |
|
boolean isSecure, |
|
host host, |
|
URL-Path requestPath (or responsePath??) |
|
) |
|
|
|
validation (Cookie -> Cookie or failure) |
|
|
|
byte sequence "serialize a cookie" (Cookie cookie |
|
) |
|
|
|
|
|
|
|
|
|
Cookie store |
|
|
|
<< cookie >> get(boolean isSecure, |
|
host requestHost, |
|
URL-path requestPath, |
|
boolean httpOnly, |
|
enum StrictOrLess | LaxOrLess | UnsetOrLess | None sameSite, |
|
partition-key partitionKey, |
|
boolean partitionedContext |
|
) |
|
|
|
??? set(Cookie cookie, |
|
boolean isSecure, |
|
boolean httpOnly, |
|
) |
|
|
|
parse-validate-set(byte sequence headerValue, |
|
boolean isSecure, |
|
host host, |
|
URL-Path requestPath (or responsePath ??), |
|
boolean httpOnly, |
|
boolean sameSiteStrictOrLax, |
|
partition-key partitionKey, |
|
boolean partitionedContext, |
|
boolean rejectPublicSuffix (kinda out there, but okay) |
|
) |
|
|
|
validate-set (Cookie cookie, |
|
... |
|
) |
|
|
|
Cookie |
|
|
|
name (byte sequence?) |
|
value (byte sequence?) |
|
partition (null or partition-key) |
|
secure (boolean) |
|
host (host or maybe domain?) |
|
host-only (boolean) |
|
path (URL path) |
|
same-site ("strict", "lax", "none", "unset") |
|
http-only (boolean) |
|
|
|
creation-time (time) |
|
expiry-time (time or null) |
|
last-access-time (time) |
|
|
|
|
|
Note: |
|
persistent = expiry-time === null |
|
partition-key = site + maybe has-cross-site-ancestor bit; talk to Artur |
|
|
|
|
|
Workers???!!! |