Contact emails
chl...@chromium.org, aaro...@chromium.org, morl...@chromium.org
Explainer
https://www.chromestatus.com/feature/5088147346030592 (“Cookies with SameSite by default”)
https://www.chromestatus.com/feature/5633521622188032 (“Reject insecure SameSite=None cookies”)
Design doc/Spec
https://tools.ietf.org/html/draft-west-cookie-incrementalism-00
TAG review
N/A
Summary
Show alerts in the developer console for “Cookies with SameSite by default” and “Reject insecure SameSite=None cookies” to warn developers of upcoming changes that may require their action.
Motivation
“Cookies with SameSite by default” and “Reject insecure SameSite=None cookies” will affect many sites using cookies that must be available in a third-party context. In order for developers to prepare for these changes and minimize breakage, we would like to show console messages to make developers aware of these changes and direct them to resources that will help them understand the changes and make the necessary changes to their sites.
The warning for “Cookies with SameSite by default” will read as follows:
“A cookie associated with a cross-site resource at (cookie domain) was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.”
This is shown whenever a cookie that does not specify a SameSite attribute is accessed in a third-party context.
The warning for “Reject insecure SameSite=None cookies” will read as follows:
“A cookie associated with a resource at (cookie domain) was set with `SameSite=None` but without `Secure`. A future release of Chrome will only deliver cookies marked `SameSite=None` if they are also marked `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5633521622188032.”
This is shown whenever a cookie that specifies the “SameSite=None” attribute but not the “Secure” attribute is accessed.
In both cases, “(cookie domain)” gives the domain of the cookie that triggered the message.
Interoperability and Compatibility Risk
The messages should not have any interoperability or compatibility risk. Some web_tests may be affected by the output of the messages, resulting in a text diff from the expected output. In most cases, this can be remedied by adding “testRunner.setDumpConsoleMessages(false)”.
Edge: No signals
Firefox: Features In development
Safari: No signals
Web / Framework developers: No signals
Ergonomics
The messages collapse in the DevTools console so that multiple messages of the same type will all show in one box with the multiplicity of the messages shown, to avoid overwhelming the display area.
Debuggability
Messages will be displayed in DevTools.
Usage information from UseCounter
UseCounter indicates that the first message would be displayed on approximately 50% of page views, and the second message would be displayed on approximately 20% of page views.
Will this feature be supported on all six Blink platforms (Windows, Mac, Linux,
Chrome OS, Android, and Android WebView)?
Yes
Is this feature fully tested by web-platform-tests?
N/A
Tracking bug
https://bugs.chromium.org/p/chromium/issues/detail?id=966576
Link to entry on the feature dashboard
https://www.chromestatus.com/feature/5631381646344192
Requesting approval to ship too?
Yes. The messages are currently implemented behind a flag, #cookie-deprecation-messages. They will eventually be removed. We would like to turn on the messages immediately in M77+, even while Intents to ship the relevant SameSite features are still pending, to give as much time as possible for developers to become aware of the changes.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAE24Oxy87%2BwbRJO_Y4ZJpAGFZ6gowOyhPwjzEx78dPrCDhjacw%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACj%3DBEjKy20D%2BWM14-1ebFnqTGinbpLruqovTscbCLTXQCYJYw%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAARdPYfJDUxgqKnZsGb4poYF1kU-SH0%3DMNs2fmUwWg3Y7wjoOg%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAE24OxxW6tL%3DB7_xi0h807pnqEPGtvKf6FZ3idZKoCZPOFweVg%40mail.gmail.com.