
Google has plans to deprecate cookies over http - mike22223333
https://github.com/mikewest/cookies-over-http-bad
======
ZiiS
>> Should we special-case the cookie value "OPT_OUT"? It would be unfortunate
indeed if removing old cookies meant that users who had opted out of interest-
based advertising started being targeted again. Perhaps excluding the special
value OPT_OUT (and asking advertisers to standardize on it?) is justifiable.

 _Still_ suggesting the Evil Bit?
[https://www.ietf.org/rfc/rfc3514.txt](https://www.ietf.org/rfc/rfc3514.txt)

~~~
_verandaguy
To be fair, the evil bit's a great idea; it just failed to get much support
from the malware developer community.

~~~
John_KZ
Maybe they didn't ask them nicely enough.

Likewise, instead of using technical measures to stop websites from acquiring
analytics, we can make them pinky-swear to delete out data. This simply cannot
go wrong.

------
whoisburbansky
Shouldn't the title have 'deprecate' instead of 'depreciate'?

~~~
bencollier49
They want them to last for less time. Perhaps that's the right word.

~~~
mykeliu
I think so as well. The intent of this write-up is explicitly to advocate for
a practice to "Expire cookies early". "Depreciate" might not be the perfect
word, but "deprecate" is outright misleading.

------
m90
Can we change the clickbaity headline? This is a Google employee, but there is
no evidence in that repo that supports the claim that "Google has plans".

~~~
eganist
Speaking with some amount of experience working with people on that team: his
role at Google is precisely what you see him doing here—deprecating insecure
fundamental components of the web.

A proposal like this wouldn't have been approved for public release if the
rest of the Chromium security team didn't see merit to it.

Everyone keeps calling him "some guy." Mike West is attached to a number of
similar RFCs.

That all being said, I wouldn't immediately discount the idea even if it only
turns out to be a research exercise.

------
angrygoat
Discussion thread on the blink-dev list here:

[https://groups.google.com/a/chromium.org/forum/#!topic/blink...](https://groups.google.com/a/chromium.org/forum/#!topic/blink-
dev/r0UBdUAyrLk)

------
sbr464
Might cause an issue for WiFi access portals in short term. Not really
related, more of a side effect of poor implementations. Some use cookies to
route around settings, I’ve had trouble with in past.

------
lousken
next step: disable javascript served over http

~~~
vultour
next step: disable javascript

~~~
mike22223333
It's not the 90's... WebApps and PWA's require JS. And Javascript in browser
is secure as it is sandboxed. Minute privacy concerns are not enough for 99.9%
of the people to disable js either.

------
ToFab123
plan? No, some guy has suggested it. That does not equal to plan.

------
LinuxBender
Should there be an official Google update or blog on this?

