GetPartitionKey updates #712
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add initial proposal
Updates for clarity
Update formatting of url
Updates in phrasing and document organization.
Additional details
Additional content and formatting
Update pr to incorporate reviewer feedback. Co-authored-by: Rob Wu <[email protected]>
Update to reflect reviewer suggestion. Co-authored-by: Rob Wu <[email protected]>
Update to remove reference to Chrome Co-authored-by: Rob Wu <[email protected]>
Co-authored-by: Rob Wu <[email protected]>
Co-authored-by: Rob Wu <[email protected]>
Co-authored-by: Rob Wu <[email protected]>
Add use case
Added background information on x-site ancestor chain bit
Update language for cookies.remove()
Co-authored-by: Oliver Dunk <[email protected]>
Co-authored-by: Oliver Dunk <[email protected]>
Co-authored-by: Oliver Dunk <[email protected]>
Co-authored-by: Oliver Dunk <[email protected]>
Co-authored-by: Oliver Dunk <[email protected]>
Co-authored-by: Oliver Dunk <[email protected]>
Co-authored-by: Oliver Dunk <[email protected]>
Co-authored-by: Oliver Dunk <[email protected]>
Add new use case and add clarification to table
Co-authored-by: Rob Wu <[email protected]>
Add language describing logic for determining hasCrossSiteAncestor value when not provided. Update method descriptions to incorporate new language and indicate when errors will be thrown.
Update table
Co-authored-by: Rob Wu <[email protected]>
Co-authored-by: Rob Wu <[email protected]>
Update the description of cookies.remove()
Co-authored-by: Heiko Theißen <[email protected]>
Add language that explicitly allows for get(), getAll() and remove() to have values that would not be valid for set(). To allow for migration of cookies that are no longer valid at runtime.
Co-authored-by: Rob Wu <[email protected]>
Co-authored-by: Rob Wu <[email protected]>
Co-authored-by: Rob Wu <[email protected]>
Add language to privacy to point out the pre-existing risks associated with editing partition keys
Co-authored-by: Rob Wu <[email protected]>
Add description for getPartitionKey() api.
Updating language for getAll() to align it with the other APIs, where a partitionKey with no topLevelSite and a value for hasCrossSiteAncestor returns an error.
Update language to specify that `{hasCrossSiteAncestor: false}` and `{hasCrossSiteAncestor:true}` are invalid keys.
Add table containing valid partitionKeys. Update language in the background section to be more consistent.
Clarify language surrounding the empty partitionKey
Co-authored-by: bvandersloot-mozilla <[email protected]>
Update language to specify the domain of the cookie's url
Return {} to the table of valid partition keys
Co-authored-by: Rob Wu <[email protected]>
Co-authored-by: Rob Wu <[email protected]>
Add table describing inputs for getPartitionKey()
Co-authored-by: Rob Wu <[email protected]>
Co-authored-by: Rob Wu <[email protected]>
Co-authored-by: Rob Wu <[email protected]>
describe error conditions of new api
Updates to the getPartitionKey() Api: Remove ability to just pass a frameId without a tabId. Update language to describe that an error should be returned when a partitionKey is not serializable.
Update language to include reference to nonce
Rob--W
reviewed
Oct 30, 2024
| @@ -115,6 +114,7 @@ A Promise that will be fulfilled with a `Cookie.partitionKey` object that matche | |||
| ##### Error conditions | |||
| - If host permissions are not granted for the document whose partitionkey is getting queried an error will be returned. | |||
| - When the parameters passed do not correspond to an existing frame, an error will be returned. | |||
| - If the partitionKey that would be associated with the frame can not be serialized an error will be returned. This can happen when the origin associated with the topLevelSite is opaque or if the underlying key associated with the frame has a nonce. | |||
There was a problem hiding this comment.
Is this equivalent to getting an error when document.cookie is read/set from the web page? If not, then I would still expect a way to manage the cookies for that document.
If it is, it may be worth calling out that there cookies cannot exist in such documents.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When implementing the getPartitionKey api, there were two issues that I felt should be updated in the proposal.
The first is removing the ability to allow for just a
frameIdto be used. Allowing this requires the browser to make an assumption on the intended tab which is not explicitly stated in the proposal and could lead to inconsistent behavior between browsers.In chromium there are cases where the CookiePartitionKey of a cookie can be unserializable (if it's got a nonce or the topLevelSite is opaque). The API should return an error in this case to ensure that we are only returning valid keys with this method key.