[whatwg] HTML Cookie API

Garrett Smith dhtmlkitchen at gmail.com
Wed Feb 24 16:30:31 PST 2010

On Wed, Feb 24, 2010 at 4:17 PM, Adam Barth <w3c at adambarth.com> wrote:
> On Wed, Feb 24, 2010 at 4:03 PM, Garrett Smith <dhtmlkitchen at gmail.com> wrote:
>> On Tue, Feb 23, 2010 at 8:56 PM, Adam Barth <w3c at adambarth.com> wrote:
>>> The document.cookie API is kind of terrible.  Web developers shouldn't
>>> have to parse a cookie-string or prepare a properly formated
>>> set-cookie-string.  Here's a proposal for an HTML cookie API that
>>> isn't as terrible:
>>> https://docs.google.com/Doc?docid=0AZpchfQ5mBrEZGQ0cDh3YzRfMTRmdHFma21kMg&hl=en
>>> I'd like to propose we include this API in a future version of HTML.
>>> As always, feedback welcome.
>> | Because HttpOnly cookies are inaccessible to script, the |httpOnly|
>> | attribute will usually be false.
>> Usually? When ever would HttpOnly be true?
> For example, if the HTML document is running with higher privileges
> because its effective security origin isn't a (scheme, host, port)
> tuple.  This can occur, e.g., in Firefox when running with "chrome"
> privileges.
>> Instead of "array like", I would like to rather have a NamedCookieMap,
>> which is sort of like a NamedNodeMap that the cookies can be retrieved
>> by an item or namedItem.
> That API design assumes that there's only one cookie with a given name
> in each cookie-string.  Unfortunately, that is not a valid assumption.

That is only true in that that example assumes that each cookie is
named. It would be entirely possible for the value to be instead a
collection, as in:

var x = document.forms[0].elements["radioName"]

- and the result is that x could be either an element or a collection
of elements.

>> Where is the argument for making the API async?
> Please see the discussion earlier in this thread.
Can you be more specific? I see:

| I really think the API should be asynchronous, as to avoid the mess
| that .localStorage currently is.

But I don't know if that's what you meant by "please see earlier".

>> Cookies have been synchronous for longer than I have been writing
>> javascript and to my knowledge, nobody has ever complained of that
>> being a problem.
> In fact, I've heard a great many complaints about this recently
> (particularly from Darin Fisher), which is part of what prompted me to
> make this proposal.

Is there a link to that? I missed it.

>> Asynchronous cookies that would mean that cookie setting tests would be harder.
> No one is suggesting removing the current document.cookie API.

Nobody is suggesting you change your tires. Why bring it up?


More information about the whatwg mailing list