+net-dev and security-dev via BCC.
Contact emails
Spec
https://tools.ietf.org/html/draft-west-first-party-cookies
Cookies are a form of ambient authority, attached by default to requests the user agent sends on a user's behalf to a particular host. Even when an attacker doesn't know the contents of a user's cookies, she can still execute commands on the user's behalf (and with the user's authority) by asking the user agent to send HTTP requests to unwary servers.
Link to “Intent to Implement” blink-dev discussion
https://groups.google.com/a/chromium.org/d/msg/blink-dev/vT98riFhhT0/3Q-lADqsh0UJ
Is this feature supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
Yes.
Demo link
If you have a demo page, link to it here.
Debuggability
The inspector has a cookies view behind the chrome://flags/#enable-devtools-experiments flag. I intend to add the 'First-Party-Only' attribute to that table. Otherwise, cookies are cookies, and remain visible in the network tab's header view.
Compatibility Risk
Low.
'First-Party-Only' cookies are defense-in-depth against CSRF attacks, which gracefully degrade into "normal" cookies in browsers that don't support the new attribute. That is, when presented with:
Cookie: key=value; First-Party-Only
Chrome would treat the cookie as First-Party-Only, other browsers would treat it as though the attribute wasn't there at all.
Folks at Mozilla seem excited about the change (see the conversation starting hereish: https://groups.google.com/d/msg/mozilla.dev.platform/yEqC74IgnqQ/wIVQh4W2EAkJ, and https://twitter.com/mr_goodwin/status/572755941436878849). CCing Mark Goodwin and Jonas Sicking in case they have specific feedback on the proposal, and to ensure that I'm not misrepresenting their opinions.
Moreover, this seems to be a feature that developers want. For instance, GitHub is already experimenting with the header for their `user_session` cookie: https://twitter.com/joshpeek/status/572564724350525442
As a counterpoint, folks on the IETF HTTP WG list were cooler in response, but did invite prototypes: https://lists.w3.org/Archives/Public/ietf-http-wg/2014OctDec/0752.html
If this experiment fails completely, we'll remove the 'First-Party-Only' attribute support from //net, and downgrade all such cookies to "normal" cookies, just as they were treated in every other browser. I don't believe there's any risk of lock-in here.
There is a single open question regarding how we should treat requests from Service Workers, as it's unclear whether those should be considered 'first' or 'third' party. For the moment, we've settled on keeping the same behavior for "first-party-only" cookies that we have for "third-party cookie blocking" in Chrome; that is, Service Workers are generally first-party, even if they're responding to requests from a third-party. It's likely that we'll want to change this at some point in the future, but I don't believe that discussion should block shipping this feature.
OWP launch tracking bug? https://crbug.com/459154
Link to entry on the feature dashboard: https://www.chromestatus.com/features/4672634709082112
-mike