You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It seems to assume that only SameSite=None cookies are sent on these requests. However, Chrome's implementation currently has a quirk that allows SameSite=Lax|unspecified cookies to be sent on these requests, and is being tracked in crbug.com/1221316.
The section does not provide a recommendation on how sites may opt-in to receiving cookies on those requests; although it does acknowledge that "We could require that top-level sites signal to browsers via some security opt-in that they are comfortable with sending SameSite=None cookies in these types of redirected requests."
The above bug and crbug.com/1214360 indicate that there is likely web compat impact by blocking these cookies; so we may need to do some work to identify a solution, and validate it against the use-cases.
The existing section for Redirecting a Cross-Site Subresource to a Same-Site Subresource needs a couple of edits:
SameSite=None
cookies are sent on these requests. However, Chrome's implementation currently has a quirk that allows SameSite=Lax|unspecified cookies to be sent on these requests, and is being tracked in crbug.com/1221316.cc @sbingler
The text was updated successfully, but these errors were encountered: