RFC 6265bis: possibility of taking the port into account for "schemeful-cookies" (aka same-origin cookies)

[randomstuff]

Would it make sense/be possible to take the port into account as well for "schemeful-cookies" (making them same-origin cookies)?

For http: localhost-bound applications, the ability to scope the cookies per origin would be useful. Without this, the cookies of a http://127.0.0.1:4567 application can be exfiltrated by other local users by:

• spawning another localhost HTTP service such as http://127.0.0.1:4568;
• triggering a request to this page from the user.

[chlily1]

This has been proposed: https://github.com/sbingler/Origin-Bound-Cookies

[chlily1]

(Adding defer label as I don't think we'll get to this in 6265bis.)

[johnwilander]

Looking at the linked GitHub doc, it seems this is no longer schemeful cookies but origin-bound cookies. True? If so, please change the title.

[randomstuff]

@johnwilander, the title is a reference to proposal in the incrementalism draft.