[whatwg] HTML Cookie API
Garrett Smith
dhtmlkitchen at gmail.com
Wed Feb 24 16:30:31 PST 2010
On Wed, Feb 24, 2010 at 4:17 PM, Adam Barth <w3c at adambarth.com> wrote:
> On Wed, Feb 24, 2010 at 4:03 PM, Garrett Smith <dhtmlkitchen at gmail.com> wrote:
>> On Tue, Feb 23, 2010 at 8:56 PM, Adam Barth <w3c at adambarth.com> wrote:
>>> The document.cookie API is kind of terrible. Web developers shouldn't
>>> have to parse a cookie-string or prepare a properly formated
>>> set-cookie-string. Here's a proposal for an HTML cookie API that
>>> isn't as terrible:
>>>
>>> https://docs.google.com/Doc?docid=0AZpchfQ5mBrEZGQ0cDh3YzRfMTRmdHFma21kMg&hl=en
>>>
>>> I'd like to propose we include this API in a future version of HTML.
>>> As always, feedback welcome.
>>>
>> | Because HttpOnly cookies are inaccessible to script, the |httpOnly|
>> | attribute will usually be false.
>>
>> Usually? When ever would HttpOnly be true?
>
> For example, if the HTML document is running with higher privileges
> because its effective security origin isn't a (scheme, host, port)
> tuple. This can occur, e.g., in Firefox when running with "chrome"
> privileges.
>
>> Instead of "array like", I would like to rather have a NamedCookieMap,
>> which is sort of like a NamedNodeMap that the cookies can be retrieved
>> by an item or namedItem.
>
> That API design assumes that there's only one cookie with a given name
> in each cookie-string. Unfortunately, that is not a valid assumption.
>
That is only true in that that example assumes that each cookie is
named. It would be entirely possible for the value to be instead a
collection, as in:
var x = document.forms[0].elements["radioName"]
- and the result is that x could be either an element or a collection
of elements.
>> Where is the argument for making the API async?
>
> Please see the discussion earlier in this thread.
>
Can you be more specific? I see:
| I really think the API should be asynchronous, as to avoid the mess
| that .localStorage currently is.
But I don't know if that's what you meant by "please see earlier".
>> Cookies have been synchronous for longer than I have been writing
>> javascript and to my knowledge, nobody has ever complained of that
>> being a problem.
>
> In fact, I've heard a great many complaints about this recently
> (particularly from Darin Fisher), which is part of what prompted me to
> make this proposal.
>
Is there a link to that? I missed it.
>> Asynchronous cookies that would mean that cookie setting tests would be harder.
>
> No one is suggesting removing the current document.cookie API.
Nobody is suggesting you change your tires. Why bring it up?
Garrett
More information about the whatwg
mailing list