
Google Plans to Deprecate Cookies - feross
https://github.com/mikewest/http-state-tokens
======
feross
Key quote: “Cookies are bad and we should find a path towards deprecation. But
that's going to take some time. This proposal aims to be an addition to the
platform that will provide value even in the presence of cookies, giving us
the ability to shift developers from one to the other incrementally.”

The plan to deprecate cookies was also referenced recently in this mailing
list thread:
[https://groups.google.com/a/chromium.org/forum/m/#!msg/blink...](https://groups.google.com/a/chromium.org/forum/m/#!msg/blink-
dev/bBdx2xIB7OQ/k2fMXf-WAAAJ)

------
floatingatoll
Misleading title, at least for the link — but it uncovers highly interesting
material, as OP notes below.

The internet draft expired last year and hasn’t been renewed. Direct quote
warning others not to overstate it:

> _Note: This isn 't a proposal that's well thought out, and stamped solidly
> with the Google Seal of Approval. It's a collection of interesting ideas for
> discussion, nothing more, nothing less._

A better link would be to the Cookie Store API proposal, or to the mailing
list post linked by OP:

[https://groups.google.com/a/chromium.org/forum/m/#!msg/blink...](https://groups.google.com/a/chromium.org/forum/m/#!msg/blink-
dev/bBdx2xIB7OQ/k2fMXf-WAAAJ)

> _Although there are long term plans to deprecate cookies, we recognize that
> with the existing heavy usage of cookies, it will take a long time for this
> to happen. We think that by introducing this API now, it will help the
> current state of cookies by allowing developers to use them more judiciously
> and make better decisions about security while also improving performance._

They do link “deprecate cookies” to that same expired spec, but it isn’t
really good context for what their plans are, compared to the above list post.

------
avipars
This is going to be a long shot and will take years to get most websites on-
board.

It won't be as well received as chrome's switch to preferring SSL/TLS, in my
opinion.

