Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SameSite attribute handling needs to be clarified #87

Open
johannhof opened this issue Jun 14, 2024 · 4 comments
Open

SameSite attribute handling needs to be clarified #87

johannhof opened this issue Jun 14, 2024 · 4 comments

Comments

@johannhof
Copy link
Member

The SameSite attribute section seems like it was written at a time when only cross-site (A embeds B) Partitioned cookies were supported. Now that we support top-level / ABA Partitioned cookies we should update the section to clarify what happens when you set cookies with SameSite=Strict; Partitioned.

We should also update the spec and write WPTs :)

@bvandersloot-mozilla FYI since Mozilla is prototyping this

cc @cfredric @DCtheTall

@bvandersloot-mozilla
Copy link

Strong agreement that Strict should be permitted. I think it is clear in the explainer that we can't allow them (nor Lax) now.

@cfredric
Copy link
Contributor

FWIW it looks like Chrome's implementation currently does not require SameSite=None. I'm not sure if this is consistent with the intent in the explainer, since the "may only accept" phrasing always felt ambiguous to me.

@kumarrishav
Copy link

Same confusion here as well. Here https://developers.google.com/privacy-sandbox/blog/chips-origin-trial#cookies_requirements It says: Partitioned cookies should include SameSite=None attribute as well, to allow cookies to be sent in a third-party context in browsers that don't support cookie partitioning.

No where it says, same-site NONE is must for partitioned cookie

@bvandersloot-mozilla
Copy link

That quote actually seems to support Chris actually. The SameSite=none is stated as should, not MUST (not that we are in RFC 2119 territory) and isn't in the list with the Secure requirement.

I think that doc does it well, but I think the paragraph "Partitioned cookies should include SameSite=None attribute as well, to allow cookies to be sent in a third-party context in browsers that don't support cookie partitioning." means "Partitioned cookies may need to include the SameSite=None attribute as well, if that attribute was needed before third-party cookie deprecation". But I'm no devrel expert.

"may only accept" phrasing always felt ambiguous to me.
I see that as ambiguous now- I only read it the one way before.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants