On Fri, Apr 15, 2016 at 7:37 PM, Chris Peterson <cpeter...@mozilla.com> wrote:
> On 4/15/16 7:47 AM, Tantek Çelik wrote: > >> What steps can we take in this direction WITHOUT breaking web compat? >> > > Would this feature actually break web compatibility? Or just needlessly > annoy users? > > In his original post, Henri argued that clearing non-HTTPS cookies between > sessions would not "Break the Web". There would be no user- or > site-detectable changes mid-session. Clearing cookies between sessions > could be user-detectable if they get logged out or lose their shopping > cart. Sites, OTOH, must already handle the cases were a user's cookies are > lost between sessions. Users could clear their cookies, use Private > Browsing mode, or log into the site from a different browser or device. > Tanvi brought up this point. On Thu, Apr 14, 2016 at 12:58 PM, Tanvi Vyas <ta...@mozilla.com> wrote: ... * Even if login cookies are set over HTTPS, there are sometimes additional cookies set over HTTP with user data in them (ex: city/zipcode). Users may have bad experiences on websites that rely on these secondary HTTP cookies even if they are still logged in (ex: weather.yahoo.com for a user who is logged into yahoo.com). ... Sites might depend on a combination of https and non-https cookies and then act strangely when a user returns to the site with only the https cookies. Haik _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
