06:29:32 <RRSAgent> RRSAgent has joined #cookies
06:29:36 <RRSAgent> logging to https://www.w3.org/2025/11/13-cookies-irc
06:29:36 <breakout-bot> RRSAgent, do not leave
06:29:37 <breakout-bot> RRSAgent, this meeting spans midnight
06:29:37 <breakout-bot> RRSAgent, make logs public
06:29:39 <breakout-bot> Meeting: Cookies
06:29:39 <breakout-bot> Chair: Johann Hofmann, Anne van Kesteren
06:29:39 <breakout-bot> Agenda: https://github.com/w3c/tpac2025-breakouts/issues/24
06:29:39 <Zakim> Zakim has joined #cookies
06:29:40 <breakout-bot> Zakim, clear agenda
06:29:40 <Zakim> agenda cleared
06:29:40 <breakout-bot> Zakim, agenda+ Pick a scribe
06:29:41 <Zakim> agendum 1 added
06:29:41 <breakout-bot> Zakim, agenda+ Reminders: code of conduct, health policies, recorded session policy
06:29:41 <Zakim> agendum 2 added
06:29:41 <breakout-bot> Zakim, agenda+ Goal of this session
06:29:42 <Zakim> agendum 3 added
06:29:42 <breakout-bot> Zakim, agenda+ Discussion
06:29:42 <Zakim> agendum 4 added
06:29:42 <breakout-bot> Zakim, agenda+ Next steps / where discussion continues
06:29:43 <Zakim> agendum 5 added
06:29:44 <breakout-bot> Zakim, agenda+ Adjourn / Use IRC command: Zakim, end meeting
06:29:44 <Zakim> agendum 6 added
06:29:44 <breakout-bot> breakout-bot has left #cookies
07:56:15 <Jxck> Jxck has joined #cookies
08:01:08 <niklasmerz> niklasmerz has joined #cookies
08:03:03 <camille> camille has joined #cookies
08:03:46 <AramZS> AramZS has joined #cookies
08:04:21 <erisu> erisu has joined #cookies
08:04:44 <AramZS> lol the calendar event says slack
08:04:46 <AramZS> and links to matrix
08:04:47 <tara> tara has joined #cookies
08:04:53 <AramZS> which is not irc which is also on there
08:04:58 <erisu> present+
08:06:16 <ErikAnderson> ErikAnderson has joined #cookies
08:06:20 <AramZS> present+
08:06:44 <AramZS> Johann Hofmann presenting
08:06:50 <ErikAnderson> present+
08:07:07 <AramZS> scribe+
08:07:09 <AramZS> Cookie layering - want to specify a few major points
08:07:15 <AramZS> interop issues
08:07:36 <tako> tako has joined #cookies
08:07:56 <AramZS> We have a bunch of behaviors that sides are not willing to change
08:08:20 <ErikAnderson> q+
08:08:21 <AramZS> Chrome is not depreciating third party cookies and that won't change
08:08:21 <AramZS> so now we have to deal with interop issues
08:08:25 <AramZS> Ben brought this up in privacycg
08:08:27 <niklasmerz> present+
08:08:40 <AramZS> It isn't a direct problem but we want to progress towards interop
08:09:10 <AramZS> John W: I just wanted to say that I've been saying to a few people that used to work on privacy sandbox that I don't think we've seen the last chapter here
08:09:15 <AramZS> it is very unf for the web platform
08:09:29 <niklasmerz> big +1 on third party cookie breakage. The situation is very weird on WebViews
08:09:29 <AramZS> such a fundamental piece of tech is significantly bifurcated
08:09:39 <AramZS> that is not a great outcome of whatever happened
08:09:52 <AramZS> The people who made us end up here got in the way of a web standards process
08:10:01 <AramZS> It should have been figured out here and it got disrupted.
08:10:21 <AramZS> Johann: did we want to discuss breakage and how we're dealing with it?
08:10:42 <AramZS> John W: Matthew has been dealing with site compatibility
08:11:10 <AramZS> The long tail of sites that require some sort of account you can't just sign up for that you can't easily get test accounts for. We just get reports it is broken b/c of third party cookies
08:11:16 <johannhof> johannhof has joined #cookies
08:11:42 <AramZS> Matthew: (webkit) I've had conversations with Johann and ben and we've tried to deal with situations where the browser doesn't handle these things by default
08:12:22 <AramZS> We've tried to accommodate per-site quirks and have had small success with webkit, esp with CHIPs for partition cookies which let you use cookies within a third party context but not use the user's actual cookies
08:12:27 <AramZS> we are exploring this
08:13:24 <AramZS> On: potentially developing a shared list of websites where we know 3p cookies are needed in some way (partitioned cookies or if the relationship is 1st party and the site should be relying on the storage access api and we can use quirks there) it could be useful to maintain that list
08:13:38 <johannhof> q?
08:13:40 <AramZS> esp across UA providers
08:14:04 <miketaylr> miketaylr has joined #cookies
08:14:08 <dwaite> dwaite has joined #cookies
08:14:46 <bvandersloot> bvandersloot has joined #cookies
08:14:51 <AramZS> ErikAnderson: I think I asked this in some way before. Chrome Incognito has a partitioned   behavior and there is still a 3p block cookie settings
08:14:54 <bvandersloot> present+
08:15:20 <dwaite> present+
08:15:26 <AramZS> Taylor: Chrome - blocking cookies in Chrome gives you partitioned cookies
08:15:36 <AramZS> This isn't the same as incognito where there are no third party cookies
08:15:40 <AramZS> those are blocked by default
08:15:48 <AramZS> CHIPS works though in incognito mode
08:15:48 <wbamberg> wbamberg has joined #cookies
08:17:02 <AramZS> ErikAnderson: given that there is no longer a change in default behavior and no longer inducing a change. Is it possible there's an option for chrome users to opt in to the same behavior as Firefox and Webkit? That would give more reason for people to move their sites to match that experience.
08:17:12 <Ehsan> Ehsan has joined #cookies
08:17:20 <AramZS> We still have convos about what are the limits of CHIPS etc... is it easier now for an aligned behavior ?
08:17:37 <AramZS> johannhof: we're willing to talk about what that mode does but can't change the default behavior.
08:17:56 <AramZS> ErikAnderson: incognito mode might make this harder since it has a different default?
08:18:21 <AramZS> Can we make it so incognito and no-3p mode has the same behavior?
08:18:31 <sisidovski> sisidovski has joined #cookies
08:18:33 <AramZS> johannhof: I will take that feedback. Also talking about a shared list is something tha thas come up before.
08:18:45 <AramZS> Partitioned cookies default behavior
08:19:36 <AramZS> bvandersloot: Firefox partition by default. Chrome incog and Safari block them. The challenge is that for us partition by default is a good compat mechanism that stops us from having to intervene with sites and for that reason changing is very hard for us to ship.
08:19:41 <johannhof> q?
08:19:48 <AramZS> John W.: how many sites get unbroken?
08:19:48 <ErikAnderson> ErikAnderson has joined #cookies
08:19:51 <AramZS> ack ErikAnderson
08:20:24 <AramZS> bvandersloot: Not really - there are deeper behaviors like carts or sign ins or other cross site behaviors means it is very hard to get even a manual estimate.
08:21:06 <AramZS> Is there a resolution we see to this? interop issues don't get better over time. What's the realistic option towards convergence. Either Chrome switches to partition or block.
08:21:21 <AramZS> Matthew: we've heard that some sites would still like to opt out of 3p cookies if possible.
08:21:32 <AramZS> maybe we need a followup to CHIPS that allows for opt out of 3p
08:22:22 <AramZS> It would be on the header or for an iframe. Not the first party
08:23:08 <AramZS> ???: This particular party might need to be for cross origin document - they need to know that they are being loaded cross origin and what their relationship is to the origin frame and then we wouldn't need to know about it
08:23:30 <AramZS> or rather the embedded entity wouldn't need to worry about partitions
08:23:37 <AramZS> q?
08:23:51 <AramZS> q+ to ask about opt out of third party cookies header
08:24:16 <cfredric> cfredric has joined #cookies
08:24:30 <AramZS> John W: when dealing with same site lax by default any change to the cookie behavior will break some weird behavior and then there is a mad rush to unship changes. Don't touch that default cookie behavior
08:24:33 <AramZS> ack AramZS
08:24:33 <Zakim> AramZS, you wanted to ask about opt out of third party cookies header
08:24:54 <miketaylr> AramZS: are we going to talk about the proposal to block 3P cookies?
08:24:59 <miketaylr> johannhof: yes
08:25:21 <AramZS> johannhof: stalemate situation and we can't move that much. Maybe we can explore partitioning
08:25:27 <miketaylr> q+
08:25:47 <AramZS> bvandersloot: we can consider blocking as well. it was scary last time
08:25:51 <bvandersloot> bvandersloot has joined #cookies
08:26:32 <AramZS> kleber: Have you considered trying to give the people who encounter breakage a partitioned cookie option?
08:26:49 <AramZS> Then you could collect data about the potential benefits of a more firefoxy model
08:27:02 <Haruki> Haruki has joined #cookies
08:27:04 <AramZS> John W: we did add a way for regular users to tell us if stuff is broken
08:27:15 <AramZS> the reports are hard to parse - sometimes people are just angry about something
08:27:25 <AramZS> Figuring out that it is cookies is hard.
08:27:41 <AramZS> johannhof: the most popular sites to get reported tend to be ones that just have basic network errors.
08:27:41 <JoelA> JoelA has joined #cookies
08:28:21 <AramZS> John W: ex of a deep investigation - US Census site. It turned out that one of their load balancers sent a double CSP header and we still had a legacy CSP header implementation and they had slightly diff policies
08:29:39 <AramZS> ack miketaylr
08:29:49 <ErikAnderson> q+ because Johann said I need to be in it
08:29:52 <ErikAnderson> q+
08:30:21 <AramZS> miketaylr: We tried to investigate that behavior and tried to figure out what broke and never really discovered it.
08:30:32 <AramZS> ErikAnderson: sites do sometimes hard code browser engine assumptions
08:30:36 <AramZS> ack ErikAnderson
08:30:54 <AramZS> John W: it sometimes solves that problem and introduces 10 others
08:31:10 <AramZS> johannhof: samesite lax by default how do we solve?
08:31:31 <AramZS> I think there was a possible way when chrome was still on the path with chrome going to samesite none by default and storageaccess headers
08:31:36 <AramZS> right now I don't know
08:31:57 <AramZS> both browsers wanted to go to lax by default at one point is there still an option?
08:32:21 <AramZS> John W: we did it and it was theoretically and improvement but then a bunch of stuff broke
08:32:25 <AramZS> We shipped and a bunch of enterprise sites broke and complained.
08:32:42 <AramZS> We liked the change in theory
08:33:05 <AramZS> Matthew: we can't detect the problem until we ship and then it hits us with a problem and it take a while to unship
08:33:30 <AramZS> johannhof: it sounds like it is really hard to find it in the ecosystem it is hidden to us and we can't crawl for it?
08:34:39 <AramZS> John W: when we made them samesite lax by default. When we go back in time the orig only had lax and strict and Chrome proposed and implemented None and when we didn't recognize the value we defaulted to strict so when servers started sending us None we did the complete opposite. Sites started to do 'if safari never set samesite to none'
08:34:51 <AramZS> so when we flipped to lax they refused to set to samesite none and it became lax
08:34:59 <AramZS> q?
08:35:21 <AramZS> Do you remember that google deved server side code to know if they could start setting specific samesite settings?
08:35:34 <miketaylr> https://bugs.webkit.org/show_bug.cgi?id=198181
08:35:36 <AramZS> because this was in our HTTP layer it took 3 years to get it out of our versions, totally different hting.
08:36:06 <AramZS> Why is chrome not willing to do samesite none by default?
08:36:21 <AramZS> johannhof: security boundary issue
08:36:46 <AramZS> If you were in touch with the people for whom this was broken for did they fix it?
08:36:59 <AramZS> ErikAnderson: they sniffed it
08:37:24 <AramZS> John W: the one or two people who did fix it were good but we realized it must have been a pretty long tail of people with issues
08:37:38 <karlcow> karlcow has joined #cookies
08:38:21 <AramZS> ???: I have an idea - collective depreciation is something we do? can we depreciate cookies without samesite are depreciated?
08:38:44 <AramZS> bvandersloot: for a collective issue like TLS it might make sense
08:38:56 <cfredric> s/???/annevk/
08:39:02 <AramZS> johannhof: would be good to make progress on this better than once a year
08:39:33 <AramZS> Edgar: from mozilla - +1 on hard to diagnose issues. We've also been theorizing partial cookie removal is an issue
08:39:39 <AramZS> how should we deal with the global cookie max
08:39:50 <AramZS> right now the current way in both specs is ordering by last access
08:39:54 <AramZS> q?
08:40:09 <AramZS> then we are in a state where a host is purged partially
08:40:21 <AramZS> q+
08:40:27 <AramZS> annevk: is anyone around who worked on this?
08:40:37 <AramZS> Seems like it goes back to netscape
08:41:04 <karlcow> For history https://github.com/webcompat/web-bugs/issues?q=label%3A%22type-cookie-sameSite%22
08:41:04 <AramZS> mt: a lot of websites tolerate cookies disappearing piecemeal ?
08:41:04 <karlcow> https://bugzilla.mozilla.org/show_bug.cgi?id=1618610
08:41:55 <AramZS> annevk: just sort of deletes the furthest cookies set from the present
08:42:06 <AramZS> ????: might be ordered by security.
08:42:21 <AramZS> ack AramZS
08:42:35 <ErikAnderson> s/????/mikewest
08:42:36 <miketaylr> AramZS: as a site owner, we have a whole suite around managing the fact that cookies randomly disappear
08:42:56 <miketaylr> AramZS: it's unpredictable and causes problems. we have 2 pieces: we try to reapply the important cookies
08:43:20 <miketaylr> ... and have a cookie monster that removes non-essential cookies for whatever reason. it sucks, but others probably do similar
08:43:23 <ErikAnderson> q+ mikewest
08:43:51 <AramZS> John W: I think maybe a major use newspaper we got reports on seemingly random logouts and it was really just too many cookies for the cookie header and it was kind of random which ones got cut off
08:43:58 <ErikAnderson> ack next
08:44:51 <AramZS> Mikewest: Within a lot of enterprises that have multiple subdomains and set a lot of cookies chrome has found it impossible to handle priority. Sites find it very valuable to prioritize cookies to be deleted. Chrome can't remove that process
08:45:21 <AramZS> When sorting the list of cookies to use we delete low priority before high priority but I don't recall exactly how it is set.
08:45:46 <AramZS> johannhof: It would have a good interop impact if we make a change on this one
08:46:21 <AramZS> mikewest: Changing to delete all the cookies would be something we could do. When we changed sorting to be on secure it broke websites.
08:46:30 <AramZS> I am reluctant to touch cookie sorting making it atomic would be safe but surprising.
08:47:01 <miketaylr> annevk: would you prefer atomic aram?
08:47:12 <miketaylr> AramZS: that doesn't seem like it would be any better
08:47:24 <miketaylr> ErikAnderson: you don't have the mystery of hunting for a missing cookie
08:47:35 <miketaylr> AramZS: maybe i'm the wrong person to ask
08:48:13 <miketaylr> AramZS: i'd be interested in seeing a proposal, unsure if helpful.
08:48:21 <AramZS> Ed: I am willing to write up a proposal
08:49:37 <AramZS> Microsoft/Xander: From an ad tech perspective given the amount of time this happens it would be worse if it was atomic and everything was deleted
08:49:54 <AramZS> mt: if you don't have priority set it would be atomic and then if you do it would go down the list.
08:50:31 <AramZS> If you have priorities you'd go through and do the lowest priority one until you felt you hit the save amount.
08:51:56 <AramZS> Isaac F: Atomic means all cookies  have to go away means all cookies are set. I like the priority idea maybe that would be a fine way to do that.
08:52:21 <AramZS> s/Microsoft/Isaac F -
08:52:49 <AramZS> John W: actual atomic I don't think is possible cookies on memory and cookies on disk and you don't want to block all networking while deleting cookies.
08:53:05 <AramZS> mt: there's always a risk
08:53:29 <AramZS> johannhof: two proposals to discuss from Google
08:53:43 <AramZS> [slide] Origin Bound cookies
08:53:58 <AramZS> A really cool proposals that binds cookies to scheme and port by default
08:54:06 <AramZS> maps very closely to browser understood origin
08:54:33 <AramZS> split between insecure and secure context mapping is no longer needed it just understand default user security setting.
08:54:50 <AramZS> Scheme always applies there is a strong binding but you get TLD+1 binding for the domain
08:55:00 <AramZS> I think it is a really good proposal and would recommend someone check it out
08:55:04 <AramZS> mt: tested for breakage?
08:55:36 <AramZS> miketaylr: I've been running with these flags for month and good so far. There is also some real data we'll send with intent to ship
08:56:06 <AramZS> John W: Do you mean when it is bound to a secure scheme do we synthesize it or do we change behavior
08:56:08 <AramZS> ?
08:56:21 <AramZS> What about deleting behavior?
08:56:48 <AramZS> johannhof: we would treat it like secure but not synthesize that setting I believe
08:57:01 <AramZS> the proposal is not explicitly removing it right now but that might be a followup.
08:57:04 <AramZS> q?
08:57:22 <AramZS> [slide] Third-Party Cookie Allowlist Header
08:58:22 <AramZS> does not mean third party cookies are blocked by default by anyone - if you set none in this allowlist to disallow third party cookies access to specific children. Nothing is forced it is an expression of preference that the browser reads. For security reasons if you want to disallow a particular child the right allowlist settings might handle it
08:58:23 <AramZS> q+
08:58:56 <AramZS> This is a name of an explainer and that name on the header might not be great
08:58:58 <AramZS> q-
08:59:36 <AramZS> We struggle to follow up on cookies work. We have a bunch of places where we can discuss it but we should do more work to be systematic and public in meeting about this and discussing next steps.
08:59:52 <AramZS> John W: cookie community group?
08:59:59 <AramZS> Well scoped
09:00:10 <AramZS> johannhof: that is worth considering.
09:00:23 <AramZS> I am not sure there are any problems?
09:00:28 <AramZS> there are so many problems to solve
09:01:40 <AramZS> John W: might be able to get cookie only people in a dedicated CG who are not interested in the privacy stuff
09:01:54 <niklas> niklas has joined #cookies
09:01:58 <AramZS> johannhof: avoiding the privacywg for this will give us broader stuff to work on potentially.
09:02:21 <AramZS> I will follow up on that suggestion.
09:02:22 <AramZS> Thanks all!
09:02:26 <AramZS> RSSAgent, make minutes
09:03:07 <AramZS> rssagent, bookmark
09:03:32 <johannhof> RSSAgent, make minutes
09:03:46 <johannhof> RSSAgent make minutes
09:04:23 <AramZS> end the meeting
09:04:29 <AramZS> RSSAgent end the meeting
09:04:42 <AramZS> zakim, this is Cookies Breakout
09:04:42 <Zakim> got it, AramZS
09:05:48 <AramZS> rssagent,, pointer
09:05:53 <AramZS> rssagent, pointer
09:05:59 <AramZS> rssagent, here
09:06:09 <AramZS> rssagent, on
09:06:22 <AramZS> rssagent set logs world-visible
09:06:35 <AramZS> rssagent, create minutes
09:06:39 <AramZS> rssagent, please create the minutes
09:06:54 <AramZS> rssagent, publish minutes
09:07:03 <AramZS> rssagent, help
09:09:14 <AramZS> zakim, help
09:09:14 <Zakim> Please refer to http://www.w3.org/2001/12/zakim-irc-bot for more detailed help.
09:09:16 <Zakim> Some of the commands I know are:
09:09:16 <Zakim>  xxx is yyy       - establish yyy as the name of unknown party xxx
09:09:16 <Zakim>                     if yyy is 'me' or 'I', your nick is substituted
09:09:16 <Zakim>  xxx may be yyy   - establish yyy as possibly the name of unknown party xxx
09:09:17 <Zakim>  I am xxx         - establish your nick as the name of unknown party xxx
09:09:17 <Zakim>  xxx holds yyy [, zzz ...] - establish xxx as a group name and yyy, etc. as participants within that group
09:09:17 <Zakim>  xxx also holds yyy - add yyy to the list of participants in group xxx
09:09:17 <Zakim>  who's here?      - lists the participants on the phone
09:09:17 <Zakim>  who's muted?     - lists the participants who are muted
09:09:17 <Zakim>  mute xxx         - mutes party xxx (like pressing 61#)
09:09:19 <Zakim>  unmute xxx       - reverses the effect of "mute" and of 61#
09:09:19 <Zakim>  is xxx here?     - reports whether a party named like xxx is present
09:09:19 <Zakim>  list conferences - reports the active conferences
09:09:19 <Zakim>  this is xxx      - associates this channel with conference xxx
09:09:19 <Zakim>  excuse us        - disconnects from the irc channel
09:09:19 <Zakim> I last learned something new on $Date: 2020/12/31 21:20:53 $
09:10:39 <AramZS> zakim, what conference is this?
09:10:39 <Zakim> I have been told this is Cookies Breakout
09:10:49 <AramZS> zakim, what is the pointer?
09:10:49 <Zakim> I don't understand your question, AramZS.
09:10:52 <AramZS> zakim, pointer
09:10:52 <Zakim> I don't understand 'pointer', AramZS
09:12:35 <AramZS> RRSAgent, help
09:13:39 <AramZS> RRSAgent, please create the minutes
09:13:40 <RRSAgent> I have made the request to generate https://www.w3.org/2025/11/13-cookies-minutes.html AramZS
09:15:49 <AramZS> RRSAgent, set logs world-visible
09:16:58 <AramZS> Zakim, end meeting
09:16:58 <Zakim> As of this point the attendees have been erisu, AramZS, ErikAnderson, niklasmerz, bvandersloot, dwaite
09:17:00 <Zakim> RRSAgent, please draft minutes
09:17:01 <RRSAgent> I have made the request to generate https://www.w3.org/2025/11/13-cookies-minutes.html Zakim
09:17:06 <Zakim> I am happy to have been of service, AramZS; please remember to excuse RRSAgent.  Goodbye
09:17:07 <Zakim> Zakim has left #cookies
09:17:20 <AramZS> rssagent, bye
09:17:31 <AramZS> RRSAgent, bye
09:17:31 <RRSAgent> I see no action items