Hi Ari! Apple WebKit and CFNetwork (HTTP stack for Apple ports of WebKit) support a 400-day max-age upper limit with some caveats.
We think there should always be a limit (your case 1), that user agents should be free to use a lower or a higher limit, and that 400 days is a good recommended limit to put in the spec (your case 2 but softer). Some detailed feedback: We understand your ≈13 months analysis but wanted to point out that there are things called “annual” that can go a bit further than 13 months, for instance tax filing which can be done early one year, late the next, and result in a ≈440 day span. There are use cases for cookies outside of web browsers where no limit still makes sense. For instance machine-to-machine communication over HTTP. The spec may want to call that out. Regards, John > On Jan 19, 2022, at 8:12 AM, Ari Chivukula via webkit-dev > <webkit-dev@lists.webkit.org> wrote: > > I'd like to get WebKit's position on: > (1) Having an explicit upper limit for Cookie Expires/Max-Age attributes > (2) Having an explicit upper limit for Cookie Expires/Max-Age attributes > that's less than or equal to 400 days > > https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-expires-attribute-2 > > <https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-expires-attribute-2> > https://github.com/httpwg/http-extensions/pull/1732 > <https://github.com/httpwg/http-extensions/pull/1732> > https://github.com/mozilla/standards-positions/issues/592 > <https://github.com/mozilla/standards-positions/issues/592> > https://bugs.chromium.org/p/chromium/issues/detail?id=1264458 > <https://bugs.chromium.org/p/chromium/issues/detail?id=1264458> > > The draft of rfc6265bis now contains an upper limit for Cookie > Expires/Max-Age attributes. As written: > `The user agent MUST limit the maximum value of the [Max-Age/Expiration] > attribute. The limit MUST NOT be greater than 400 days (34560000 seconds) in > duration. The RECOMMENDED limit is 400 days in duration, but the user agent > MAY adjust the limit to be less. [Max-Age/Expiration] attributes that are > greater than the limit MUST be reduced to the limit.` > > 400 days was chosen as a round number close to 13 months in duration. 13 > months was chosen to ensure that sites one visits roughly once a year (e.g., > picking health insurance benefits) will continue to work. > > Safari is already partially compliant (has an upper age limit of 7 days when > cookies are set client side), while Firefox and Chrome both support cookies > with expiration dates orders of magnitude longer than a millenia in the > future. > > According to measurements in Chrome of all cookies set about 20% have an > Expires/Max-Age further than 400 days in the future. Of that 20%: half target > 2 years, a quarter target 10 years or more, and the remainder are spread over > the rest of the range. > > ~ Ari Chivukula (Their/There/They're) > _______________________________________________ > webkit-dev mailing list > webkit-dev@lists.webkit.org > https://lists.webkit.org/mailman/listinfo/webkit-dev
_______________________________________________ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev