anush...@chromium.org, dylan...@chromium.org
Explainerhttps://github.com/explainers-by-googlers/csp-sandbox-allow-same-site-none-cookies
SpecificationNone
SummaryEnable a frame to signal the browser to include SameSite=None cookies in first-party requests from sandboxed frames when third-party cookie (3PC) restrictions are active using the allow-same-site-none-cookies value.
Blink componentChromium > Blink > SecurityFeature > ContentSecurityPolicy
MotivationTo prevent malicious attacks from untrusted content, servers can include a Content-Security-Policy HTTP header or iframe attribute to sandbox a page. This policy results in the browser treating the page as an opaque origin, which prevents requests originating from this page from including SameSite=Strict/Lax cookies.
Considering an example webpage at storage.example.com where users upload untrusted code, the owners may choose to sandbox the page to restrict user scripts from being run. Due to this sandboxing, only SameSite=None cookies can be used for access control.
However, this creates an issue if third-party cookies (3PCs) are blocked— particularly for sandboxed frames that are same-site with respect to the top-level site (including possibly the top-level frame itself). All subresource requests from storage.example.com would be considered cross-site in the context of 3PC blocking and requests from these sandboxed pages will no longer even have their SameSite=None cookies. Even though the cookies are not being sent in a truly cross-site context, access-controlled content such as embedded media would not be included on the page.
This proposal allows servers to restore existing behavior and ensure these cookies are included in same-site requests, which can mitigate potential 3PC-blocking-related breakage.
Initial public proposal
https://github.com/w3c/webappsec-csp/issues/664
TAG reviewhttps://github.com/w3ctag/design-reviews/issues/1004
TAG review statusRequested
Risks Interoperability and CompatibilityGecko: No signal
WebKit: No signal
Web developers: No signal
Other signals: N/A
WebView application risksDoes this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
No
DebuggabilityNone
Is this feature fully tested by web-platform-tests?No
Flag name on chrome://flagsNone
Finch feature name‘AllowSameSiteNoneCookiesInSandbox’
Non-finch justificationNone
Requires code in //chrome?No
Tracking bughttps://g-issues.chromium.org/u/0/issues/372894175
Estimated milestonesTBD
Link to entry on the Chrome Platform Statushttps://chromestatus.com/feature/5090336588955648