Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SameSite cookie quirks and the need to prescribe a solution for "Redirecting a Cross-Site Subresource to a Same-Site Subresource" #5

Open
krgovind opened this issue May 30, 2023 · 0 comments
Open

SameSite cookie quirks and the need to prescribe a solution for "Redirecting a Cross-Site Subresource to a Same-Site Subresource" #5

krgovind opened this issue May 30, 2023 · 0 comments

Comments

@krgovind
Copy link
Collaborator

krgovind commented May 30, 2023
edited
Loading

The existing section for Redirecting a Cross-Site Subresource to a Same-Site Subresource needs a couple of edits:

  • It seems to assume that only SameSite=None cookies are sent on these requests. However, Chrome's implementation currently has a quirk that allows SameSite=Lax|unspecified cookies to be sent on these requests, and is being tracked in crbug.com/1221316.
  • The section does not provide a recommendation on how sites may opt-in to receiving cookies on those requests; although it does acknowledge that "We could require that top-level sites signal to browsers via some security opt-in that they are comfortable with sending SameSite=None cookies in these types of redirected requests."
    • The above bug and crbug.com/1214360 indicate that there is likely web compat impact by blocking these cookies; so we may need to do some work to identify a solution, and validate it against the use-cases.

cc @sbingler
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@krgovind