« Simulated Annealing: The Travelling Salesman Problem | Main | Reading List: La Mort de Staline »

Sunday, June 24, 2018

Google Chrome Drops Support for Setting Cookies with "meta http-equiv"

Many Web sites use “HTTP cookies” to follow a user through a session which may involve a series of individual Web pages. While cookies can be used for intrusive tracking and have developed a somewhat dodgy reputation as a result, for some applications such as providing persistent log-ins to a site from a certain computer and browser they are nearly essential.

The Hacker's Diet Online uses cookies to implement its “Remember me” login feature. If this box is checked when the user logs in, a cookie is stored in the browser which contains an opaque credential that allows the user to access the application from the same machine and browser without logging in for the next ninety days. Recently, this feature stopped working for users of the Google Chrome browser who had updated to version 65 or above.

When cookies were originally introduced in the mid 1990s, they were set by a Web server's sending a “Set-CookieHTTP header field in which the cookie name, value, and optional parameters such as expiration date and scope (source domain and document path). Because many Web applications do not have the ability to directly cause the server to emit header fields, they commonly used a HTML meta element with the “http-equiv” attribute, which causes the browser to treat the element's “content” field as if it had been sent by the server as a header field. For example, to set a cookie, one might use:

<meta http-equiv="Set-Cookie" content="session=6be5123e0" />

to remember a user's session number. (In practice, such cookies would usually contain a scope and expiration date, but these complexities are ignored here.)

Another way of setting a cookie is to use the JavaScript document.cookie property. This, of course, requires that the user's browser support JavaScript and that it be enabled.

The Hacker's Diet Online has been carefully designed not to require JavaScript. Some user interface features, such as dynamic updates for abbreviated data entry and plotting chart items as soon as they are entered in a table will not work without JavaScript, but the full functionality of the application remains available. Consequently, the “Remember me” cookie (the only cookie used by the application, and only if the user requests this feature) was set with an HTML meta element.

Then, the pointy-heads at Google Chrome went and took it away. Why? Who knows—the document linked to by the warning message that appears in the browser debug console is a model of opacity, and the document it cites seems like the decision to remove support for a feature widely used on the Web for 23 years was more like a developers' whim rather than a carefully considered design decision.

Still, whatever you think of this browser and the company that develops it, it has, depending on who's measuring, somewhere between a little less than half to 60% of the market and more than that on desktop platforms. The only way to restore the “Remember me” functionality for its users is to eliminate setting the cookie with the meta tag and use JavaScript instead. This has been implemented in Build 5223 of the application. This, of course, means that users whose browsers do not support JavaScript or who have disabled it in the interests of security and privacy will no longer have access to this capability and will have to log in every time they open a new session with the application.

Google is known as a champion of “progressive” values and for being a hotbed of “progressives”. Welcome to “progress”.

Posted at June 24, 2018 14:17