Intent to Prototype: Allow SameSite=None Cookies in First-Party Sandboxed Contexts

304 views
Skip to first unread message

Anusha Muley

unread,
Oct 21, 2024, 4:06:10 PMOct 21
to blink-dev, Dylan Cutler, Johann Hofmann
Contact emails

anush...@chromium.org, dylan...@chromium.org

Explainer

https://github.com/explainers-by-googlers/csp-sandbox-allow-same-site-none-cookies 

Specification

None

Summary

Enable a frame to signal the browser to include SameSite=None cookies in first-party requests from sandboxed frames when third-party cookie (3PC) restrictions are active using the allow-same-site-none-cookies value.

Blink component

Chromium > Blink > SecurityFeature > ContentSecurityPolicy  

Motivation

To prevent malicious attacks from untrusted content, servers can include a Content-Security-Policy HTTP header or iframe attribute to sandbox a page. This policy results in the browser treating the page as an opaque origin, which prevents requests originating from this page from including SameSite=Strict/Lax cookies.


Considering an example webpage at storage.example.com where users upload untrusted code, the owners may choose to sandbox the page to restrict user scripts from being run. Due to this sandboxing, only SameSite=None cookies can be used for access control. 


However, this creates an issue if third-party cookies (3PCs) are blocked— particularly for sandboxed frames that are same-site with respect to the top-level site (including possibly the top-level frame itself). All subresource requests from storage.example.com would be considered cross-site in the context of 3PC blocking and requests from these sandboxed pages will no longer even have their SameSite=None cookies. Even though the cookies are not being sent in a truly cross-site context, access-controlled content such as embedded media would not be included on the page. 


This proposal allows servers to restore existing behavior and ensure these cookies are included in same-site requests, which can mitigate potential 3PC-blocking-related breakage. 


 

Initial public proposal

https://github.com/w3c/webappsec-csp/issues/664 

TAG review

https://github.com/w3ctag/design-reviews/issues/1004 

TAG review status

Requested 

Risks Interoperability and Compatibility
None

Gecko: No signal

WebKit: No signal

Web developers: No signal

Other signals: N/A

WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

No

Debuggability

None

Is this feature fully tested by web-platform-tests?

No

Flag name on chrome://flags

None

Finch feature name

‘AllowSameSiteNoneCookiesInSandbox’

Non-finch justification

None

Requires code in //chrome?

No

Tracking bug

https://g-issues.chromium.org/u/0/issues/372894175

Estimated milestones

TBD

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5090336588955648


Reply all
Reply to author
Forward
0 new messages