@@ -218,34 +218,29 @@ <h3 id="header">
218218 < pre >
219219 "Clear-Site-Data:" *< a > WSP</ a > < a > data-type-list</ a > *[ ";" *< a > WSP</ a > < a > extension</ a > *< a > WSP</ a > ] *< a > WSP</ a >
220220
221- < dfn > data-type-list</ dfn > = "*" / ( < a > data-type </ a > *( " " < a > data-type </ a > ) )
222- < dfn > data-type </ dfn > = "cookie" / "dom" / "cache "
221+ < dfn > data-type-list</ dfn > = "*" / ( < a > exclusion </ a > *( " " < a > exclusion </ a > ) )
222+ < dfn > exclusion </ dfn > = "< dfn > retainCookies </ dfn > "
223223 < dfn > extension</ dfn > = < a > subdomain-extension</ a > / < a > unknown-extension</ a >
224- < dfn > subdomain-extension</ dfn > = "includeSubdomains"
224+ < dfn > subdomain-extension</ dfn > = "< dfn > includeSubdomains</ dfn > "
225225 < dfn > unknown-extension</ dfn > = *( < a > WSP</ a > / << a > VCHAR</ a > except ";" and ","> )
226226 </ pre >
227227
228228 The header's value contains either the U+002A ASTERISK character
229- (< code > *</ code > ) or a list of type keywords , followed by a set of options.
229+ (< code > *</ code > ) or a list of type exclusions , followed by a set of options.
230230
231- The valid type keywords are:
231+ If the header's value's < a > data-type-list</ a > component is "< code > *</ code > ",
232+ then all data types specified in this document that are related to this site
233+ will be removed.
232234
233- 1. < code > cookie</ code > , which implies that cookies for a host ought to be
234- removed.
235+ If exclusions are specified, then all data types specified in this document
236+ will be removed, with the exception of the specified types. Recognized
237+ exclusions are as follows:
235238
236- 2 . < code > dom </ code > , which implies that all DOM-accessible storage for an
237- origin ought to be cleared .
239+ 1 . < code > retainCookies </ code > , which implies that cookies for the site's
240+ host will < code > not </ code > be removed .
238241
239- 3. < code > cache</ code > , which implies that all locally cached data for an
240- origin ought to be cleared.
241-
242- ISSUE: This should probably be changed into a mechansim which excludes certain
243- types. That is, I see a use case for skipping cookies. I don't see any for
244- skipping DOM storage or Cache. Perhaps drop down to < code > *</ code > and
245- < code > everything-but-cookies</ code > ?
246-
247- Invalid type keywords present in a header's value are simply ignored. Parsing
248- details can be found in [[#parsing]].
242+ Invalid exclusion keywords present in a header's value are simply ignored.
243+ Parsing details can be found in [[#parsing]].
249244
250245 User agent conformance details are detailed in [[#clear]]. Those steps
251246 represent the following requirements when the header is present in a
@@ -255,28 +250,30 @@ <h3 id="header">
255250 delivered along with a Response whose URL is < a > < i lang ="la "> a priori</ i >
256251 insecure</ a > .
257252
258- 2. If the value of the header contains "< code > *</ code > " or
259- "< code > cookie</ code > ", then all cookies which would be sent along with
260- requests to the < var > response</ var > 's {{Response/url}} MUST be removed.
253+ Note: This means that the header will be ignored for unauthenticated or
254+ unencrypted connections ("HTTP" vs "HTTPS", for example).
261255
262- If the < code > includeSubdomains</ code > option is present, then all cookies
263- which would be sent along with requests to any host which is a subdomain
264- of < var > response</ var > 's {{Response/url}}'s {{URL/host}} MUST be removed.
256+ 2. If the value of the header's < a > data-type-list</ a > does not contain
257+ < a > < code > retainCookies</ code > </ a > , then all cookies which would be sent
258+ along with any request to the < var > response</ var > 's {{Response/url}}'s
259+ {{URL/host}} MUST be removed.
260+
261+ Further, if the same header's < a > extension</ a > contains
262+ < a > < code > includeSubdomains</ code > </ a > , then all cookies which would be
263+ sent along with any request to any host which is a subdomain of
264+ < var > response</ var > 's {{Response/url}}'s {{URL/host}} MUST be removed.
265265
266- 3. If the value of the header contains "< code > *</ code > " or
267- "< code > dom</ code > ", then all DOM-accessible storage mechanisms
268- ({{localStorage}}, {{sessionStorage}}, [[INDEXEDDB]], [[WEBDATABASE]],
269- etc) for < var > response</ var > 's {{Response/url}}'s < a > origin</ a > MUST be
270- cleared.
266+ 3. All DOM-accessible storage mechanisms ({{localStorage}},
267+ {{sessionStorage}}, [[INDEXEDDB]], [[WEBDATABASE]], etc) for
268+ < var > response</ var > 's {{Response/url}}'s < a > origin</ a > MUST be cleared.
271269
272270 If the < code > includeSubdomains</ code > option is present, then all
273271 DOM-accessible storage mechanisms for any < a > origin</ a > whose {{URL/host}}
274272 is a subdomain of < var > response</ var > 's {{Response/url}}'s {{URL/host}}
275273 MUST be cleared.
276274
277- 4. If the value of the header contains "< code > *</ code > " or
278- "< code > cache</ code > ", then all locally cached data for
279- < var > response</ var > 's {{Response/url}}'s {{URL/host}} MUST be removed.
275+ 4. All locally cached data for < var > response</ var > 's {{Response/url}}'s
276+ < a > origin</ a > MUST be removed.
280277
281278 If the < code > includeSubdomains</ code > option is present, then all locally
282279 cached data for any host which is a subdomain of < var > response</ var > 's
@@ -295,21 +292,24 @@ <h3 id="fetch-integration">Fetch Integration</h3>
295292 < a > < code > Clear-Site-Data</ code > </ a > , then execute [[#clear]] on
296293 < var > response</ var > .
297294
298- Note: This happens < em > after</ em > < code > Set-Cookie</ code > headers are
299- processed. If we clear cookies, we clear all of them.
295+ Issue: This happens < em > after</ em > < code > Set-Cookie</ code > headers are
296+ processed. If we clear cookies, we clear all of them. This is intentional,
297+ and < a > < code > retainCookies</ code > </ a > is what we would offer to folks who
298+ want to retain certain cookies. Perhaps we need a mechanism to allow only
299+ certain cookies to be retained?
300300< section >
301301
302302< section >
303303 < h2 id ="algorithms "> Algorithms</ h2 >
304304
305305 < h3 id ="parsing "> Parsing</ h3 >
306306
307- < h4 id ="get-types ">
308- Which data types ought to be cleared for < var > response</ var >
307+ < h4 id ="get-exclusions ">
308+ Which data types ought to be retained for < var > response</ var > ?
309309 </ h4 >
310310
311311 TODO: Parse the < a > < code > Clear-Site-Data</ code > </ a > header. Return
312- a list of type names.
312+ a list of type names to be excluded .
313313
314314 < h4 id ="should-include-subdomains ">
315315 Should subdomains' data be cleared for < var > response</ var >
@@ -336,22 +336,20 @@ <h3 id="clear">
336336 < a > < code > Clear-Site-Data</ code > </ a > header to determine what needs to be
337337 cleared, which origins are affected, and then executes those requests.
338338
339- 1. Let < var > types </ var > be the result of [[#get-types ]] executed on
339+ 1. Let < var > exclusions </ var > be the result of [[#get-exclusions ]] executed on
340340 < var > response</ var > .
341341
342342 2. Let < var > subdomains</ var > be the result of [[#should-include-subdomains]]
343343 executed on < var > response</ var > .
344344
345- 3. If < var > types </ var > contains "< code > cookie </ code > ", execute
345+ 3. If < var > exclusions </ var > does not contain "< code > cookies </ code > ", execute
346346 [[#clear-cookies]] on < var > response</ var > 's {{Response/url}}'s
347347 < a > origin</ a > , with < var > subdomains</ var > .
348348
349- 4. If < var > types</ var > contains "< code > dom</ code > ", execute [[#clear-dom]]
350- on < var > response</ var > 's {{Response/url}}'s < a > origin</ a > , with
351- < var > subdomains</ var > .
349+ 4. Execute [[#clear-dom]] on < var > response</ var > 's {{Response/url}}'s
350+ < a > origin</ a > , with < var > subdomains</ var > .
352351
353- 5. If < var > types</ var > contains "< code > cache</ code > ", execute
354- [[#clear-cache]] on < var > response</ var > 's {{Response/url}}'s
352+ 5. Execute [[#clear-cache]] on < var > response</ var > 's {{Response/url}}'s
355353 < a > origin</ a > , with < var > subdomains</ var > .
356354
357355 < h4 id ="clear-cache ">
@@ -412,9 +410,15 @@ <h4 id="clear-cookies">
412410
413411 2. If < var > subdomain state</ var > is < a > < code > Include Subdomains</ code > </ a > ,
414412 then let < var > cookie list</ var > be the set of cookies from the < a > cookie
415- store</ a > whose < code > domain</ code > attribute < a > domain-matches </ a >
413+ store</ a > whose < code > domain</ code > attribute is < a > domain-matched </ a > by
416414 < var > host</ var > .
417415
416+ Note: The direction of the matching is important. If
417+ < code > subdomain.example.com</ code > delivers the
418+ < a > < code > Clear-Site-Data</ code > </ a > header and includes subdomains, then
419+ cookies for < code > .another.subdomain.example.com</ code > will be cleared,
420+ but cookies for < code > .example.com</ code > will not.
421+
418422 3. Otherwise, < var > subdomain state</ var > is < a > < code > Exclude
419423 Subdomains</ code > </ a > , so let < var > cookie list</ var > be the set of
420424 cookies from the < a > cookie store</ a > whose < code > domain</ code > attribute
0 commit comments