Intent To Ship: Allow SameSite=None Cookies in First-Party Sandboxed Contexts

Anusha Muley

unread,

Feb 12, 2025, 9:09:27 AMFeb 12

to blink-dev, Dylan Cutler, Johann Hofmann

Contact emails

anush...@chromium.org, dylan...@chromium.org

Explainer

https://github.com/explainers-by-googlers/csp-sandbox-allow-same-site-none-cookies

Specification

HTML Spec https://github.com/whatwg/html/pull/10915

Summary

Enable a frame to signal the browser to include SameSite=None cookies in first-party requests from sandboxed frames when third-party cookie (3PC) restrictions are active using the allow-same-site-none-cookies value.

Blink component

Chromium > Blink > SecurityFeature > ContentSecurityPolicy

Search tags

allow-same-site-none-cookies

TAG review

https://github.com/w3ctag/design-reviews/issues/1004

TAG review status

Early Design Review Satisfied

Chromium Trial Name

N/A- No OT

Origin Trial documentation link

N/A- No OT

Risks

Interoperability and Compatibility

Gecko: Positive

WebKit: No signal (we discussed this with them and got tentatively positive feedback)

Web developers: Positive (see public feedback, we also received a private signal of developer demand)

Other signals:

WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

No

Debuggability

Feature use visible in the experimental Chrome DevTools Protocol Monitor, Cookies (and the reasons why they are included/excluded) are generally debuggable via the Network panel.

Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?

Yes

Is this feature fully tested by web-platform-tests?

Yes, https://wpt.fyi/results/cookies/samesite/sandbox-allow-same-site-none-cookies-value.tentative.https.html

Flag name on chrome://flags

N/A

Finch feature name

“AllowSameSiteNoneCookiesInSandbox”

Requires code in //chrome?

False

Tracking bug

https://g-issues.chromium.org/u/0/issues/372894175

Measurement

UMA histogram value to measure the usage of the new ThirdPartyCookieAllowMechanism

UKM log usage and aggregate by urls that are using the value

Sample links

https://sandbox-allow-same-site-none-cookies-demo.glitch.me/

Estimated milestones

135

Anticipated spec changes

None

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5090336588955648

Links to previous Intent discussions Intent to Prototype: Allow SameSite=None Cookies in First-Party Sandboxed Contexts

Vladimir Levin

unread,

Feb 12, 2025, 11:21:21 AMFeb 12

to Anusha Muley, blink-dev, Dylan Cutler, Johann Hofmann

Hey,

Do you mind starting all of the relevant reviews for this as well?

Thanks,

Vlad

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/d0ddbd19-fd21-483f-8a10-6c1e8f1b5177n%40chromium.org.

Anusha Muley

unread,

Feb 12, 2025, 12:04:55 PMFeb 12

to blink-dev, vmp...@chromium.org, blink-dev, Dylan Cutler, Johann Hofmann, Anusha Muley

Hey, sorry about that just went ahead and started all of the relevant ones!

Domenic Denicola

unread,

Feb 12, 2025, 11:52:16 PMFeb 12

to blink-dev, anush...@google.com, Vladimir Levin, blink-dev, dylan...@google.com, joha...@google.com

The spec PR for this is still marked as a draft, and as such hasn't received significant editor review. Can you say more about what's blocking it from being ready?

Rupert Wiser

unread,

Feb 13, 2025, 4:08:49 AMFeb 13

to blink-dev, Domenic Denicola, anush...@google.com, Vladimir Levin, blink-dev, dylan...@google.com, joha...@google.com

Can you confirm this was tested in WebView specifically? WebView applies 3PC settings a little differently from other content embedders and I suspect you might need additional plumbing for the js cookies,

Johann Hofmann

unread,

Feb 13, 2025, 9:44:27 AMFeb 13

to Rupert Wiser, blink-dev, Domenic Denicola, anush...@google.com, Vladimir Levin, dylan...@google.com

> The spec PR for this is still marked as a draft, and as such hasn't received significant editor review. Can you say more about what's blocking it from being ready?

As alluded to by Anne in the PR, this is yet another feature dependent on cookie layering work to complete. The good news is that there's significant progress on that front, with both a new cookies spec draft and HTML / Fetch PRs being worked on by a group of contributors from Chromium, WebKit and Firefox. Our hope is to have the majority of layering work completed this year, which is great given the complexity of the work but IMO a bit too long to block features like this one from progressing.

I think I can speak for Anusha and Dylan when I say that we're ready to bear the cost of potential changes for interop, also because we think that is unlikely given our positive conversations with other browser vendors.

Alex Russell

unread,

Feb 19, 2025, 11:28:51 AMFeb 19

to blink-dev, joha...@google.com, blink-dev, Domenic Denicola, anush...@google.com, Vladimir Levin, dylan...@google.com, Rupert Wiser

LGTM1; thanks for making sure to follow up on the spec PRs.

Chris Harrelson

unread,

Feb 19, 2025, 11:29:50 AMFeb 19

to Alex Russell, blink-dev, joha...@google.com, Domenic Denicola, anush...@google.com, Vladimir Levin, dylan...@google.com, Rupert Wiser

LGTM2

To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/ae298e38-ee2a-48f0-a6be-f95c3fdbddf3n%40chromium.org.

Vladimir Levin

unread,

Feb 19, 2025, 11:30:21 AMFeb 19

to blink-dev, Chris Harrelson, blink-dev, joha...@google.com, Domenic Denicola, anush...@google.com, Vladimir Levin, dylan...@google.com, Rupert Wiser, Alex Russell

LGTM3

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

Reply all

Reply to author

Forward