Cookie partitioning on localhost is underspecified #10867
Labels
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
What is the issue with the HTML Standard?
This was originally opened as an issue on the CHIPS standard, but I was advised to open an issue here instead.
My understanding is that normally, otherwise-identical URLs that have different port numbers are treated as different domains... except on localhost, where they are treated as the same domain by default. (For the purpose of setting and receiving cookies).
So if a cookie is set for localhost:1142, it will also be received by a server running at localhost:1141, even if it doesn't set the Domain attribute.
In Chrome, this happens even if the cookie is partitioned. In Firefox, however, the partitioning uses the port number, which means that partitioned cookies cannot be shared between localhost domains. Even though the equivalent non-localhost domains could share the same partitioned cookies using the Domain attribute.
While I personally find Chrome's behaviour here preferable to Firefox's, could this issue be addressed in the spec directly, so that there isn't two different behaviours here?
The text was updated successfully, but these errors were encountered: