RFC 6265bis does not specify what happens when an existing cookie is no longer valid

[chlily1]

This is a more general case of #1385.

It specifies how to store cookies in the cookie store in section 5.4, but it doesn't specify what happens when a cookie is stored in the cookie store, then (at a later point in time, while the cookie is in the cookie store) something changes so that the cookie is no longer valid (i.e. would NOT have been stored in the cookie store had it been processed now rather than before).

This could happen due to a Public Suffix List change (as in #1385), due to a spec change in the section 5.4 algorithm, some change in things that a user agent MAY and chooses to do, etc.

[DCtheTall]

So far the only precedent I see on deleting cookies in 5.4 is creating an order of priority for deleting "excess" cookies when adding a new cookie exceeds a user agent's upper bound for per-domain cookie storage (if it exists).

IMHO in this particular case I think the spec can suggest (perhaps with a "SHOULD") that the user agent evict the invalid cookie rows only.

Right now in Chromium, if an invalid cookie is loaded from the store, it deletes all that sites' cookies.

[sbingler]

@mikewest To make sure I've got this right for posterity, was your recommendation during the WG to add a NOTE to the 5.6.1 and/or 5.6.3 that browsers should be sure not to send invalid (due to registrable domain changes) cookies. The actual change to the storage section (or whatever we eventually settled on) should be deferred.

Is that right? For this and Issue 1385