@@ -97,21 +97,23 @@ if possible).
9797### What's a reasonable cutoff point to start with?
9898
9999An excellent question, which I think we'll need to answer with data. Chrome has collected metrics to measure the
100- age of the oldest cookie in each same-site/cross-site request sent to a non-secure endpoint. As of March, 2018,
101- the percentile buckets break down as follows (ages in ~ days):
102-
103- | | Same-Site | Cross-Site |
104- | -| -------------| -------------|
105- | 20% | 0-1 | 2-3 |
106- | 40% | 2-3 | 37-42 |
107- | 60% | 37-42 | 95-107 |
108- | 80% | 120-135 | 192-216 |
109- | 90% | 273-307 | 307-345 |
110- | 95% | 437-492 | 437-492 |
111- | 99% | 701-789 | 701-789 |
112-
113- Squinting a bit, it seems reasonable to start at somewhere around a year, which falls into a bucket that would have
114- a one-time effect on ~ 6.12% of same-site requests, and ~ 7.3% of cross-site requests. It's a compromise between a
100+ age of the oldest cookie in each same-site/cross-site request sent to a non-secure endpoint. As of December 2019,
101+ the percentile buckets break down as follows (average ages in ~ days):
102+
103+ | | Same-Site | Cross-Site |
104+ | -------| -----------| ------------|
105+ | 25% | 0.7 | 5.2 |
106+ | 50% | 10.4 | 58 |
107+ | 75% | 93.9 | 207.4 |
108+ | 95% | 464.9 | 609.1 |
109+ | 96% | 522.1 | 661.9 |
110+ | 97% | 588.6 | 714.5 |
111+ | 98% | 677.1 | 754.5 |
112+ | 99% | 761.8 | 823.2 |
113+ | 99.5% | 848.9 | 956.2 |
114+
115+ Squinting a bit, it seems reasonable to start at somewhere around two years, which falls into a bucket that would have
116+ a one-time effect on ~ 2% of same-site requests, and ~ 3% of cross-site requests. It's a compromise between a
115117short-enough lifetime to have a real impact on pervasive monitoring and non-secure tracking in general, while at the
116118same time not breaking things like SSO on an ongoing basis (being forced to reauthenticate once a year doesn't seem
117119like a massive burden).
0 commit comments