CHIPS and the Path attribute

[DCtheTall]

When CHIPS was initially proposed, we required that the __Host- name prefix be included. This prefix is already part of the cookie RFC and requires the following:

• The cookie is set with the Secure attribute.
• The cookie is set without the Domain attribute.
• The cookie is set with the Path=/ attribute.

Due to concerns raised in #30, Chrome removed the __Host- name prefix requirement from CHIPS. Likewise, due to concerns raised in #39 and #43 we decided to remove the no-Domain requirement as well.

Given we have diverged the Partitioned behavior from the __Host- prefix behavior, I am opening this issue to prompt a discussion on whether we should continue to include or do away with the Path=/ attribute as well.

[DCtheTall]

Recap of the points from yesterday's PrivacyCG call:

• Reps from Firefox think that the Path=/ requirement is not necessary.
• Reps from Firefox and Edge were asking about the Secure requirement as well.
  • Chrome replied that there is a security and privacy benefit to not letting partitioned cookies be sent over plaintext.
• Baycloud mentioned some sites use the Path attribute in cookies to separate out cookies set in different countries to satisfy different language or legal requirements.

I think we made good progress, and I think it is reasonable to say there is alignment that the Path=/ requirement is not necessary for CHIPS and may make adoption more difficult.

[DCtheTall]

Closing this now that #49 has landed.