Intent to Ship: Schemeful Same-Site

338 views
Skip to first unread message

Steven Bingler

unread,
Nov 23, 2020, 4:47:19 PM11/23/20
to blink-dev
Contact emails

bin...@chromium.org, davi...@chromium.org, kaust...@chromium.org, mike...@chromium.org


Explainer

https://github.com/sbingler/schemeful-same-site

Specification

https://mikewest.github.io/cookie-incrementalism/draft-west-cookie-incrementalism.html#rfc.section.3.3


https://github.com/httpwg/http-extensions/pull/1324

Design docs

https://docs.google.com/document/d/1gTQAljDySGAY9P52zXHqJsnAgYB_38YT2CiKmcl4elg/

Summary

Modifies the definition of same-site for cookies such that requests on the same registrable domain but across schemes are considered cross-site instead of same-site. E.g., http://site.example and https://site.example will now be considered cross-site to each other. Current plans target a gradual rollout in M88, while monitoring ecosystem impact via metrics and bug reports.

Blink component

Blink>Network

Search tags

SameSite, Same-site, same site, scheme, schemeful

TAG review

https://github.com/w3ctag/design-reviews/issues/497

TAG review status

Issues addressed

Risks
Interoperability and Compatibility

Sites relying on changed behaviors may break. Current metrics show that, as of Nov 1th 2020, 0.27% of all page visits will have at least a single cookie blocked. Of the total cookies sent however, only 0.01% will be blocked. Manual investigation into sites with blocked cookies have turned up no functional changes (with the caveat that these behavior changes may be hidden behind log-ins which were not tested). Pre-stable experiments (50% Canary/Dev/Beta)  have resulted in 0 bug reports as of this posting.

Gecko: Positive (https://github.com/mozilla/standards-positions/issues/260)

Edge: Neutral (https://groups.google.com/a/chromium.org/d/msg/blink-dev/qB7DKqxkiaA/w0XzGvEyBAAJ)

WebKit: No signal

Web developers: No signals

Activation

No activation is required.

Debuggability

Warning messages have been added to the DevTools Issues Tab to notify developers when a cookie has been blocked.

The policies LegacySameSiteCookieBehaviorEnabled and LegacySameSiteCookieBehaviorEnabledForDomainList may be used to completely disable “Schemeful Same-Site” or to disable only for a list of domains, respectively.


Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?

Yes

All platforms except for WebView will be supported at launch. WebView support will come later due to compatibility issues.

Is this feature fully tested by web-platform-tests?

Yes

Tracking bug

https://crbug.com/1030938

Launch bug

https://crbug.com/1124804

Link to entry on the Chrome Platform Status

https://www.chromestatus.com/feature/5096179480133632

Links to previous Intent discussions

Intent to prototype: https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/qB7DKqxkiaA32


Manuel Rego Casasnovas

unread,
Nov 26, 2020, 6:44:29 AM11/26/20
to Steven Bingler, blink-dev
Everything looks good.

On 23/11/2020 22:47, Steven Bingler wrote:
> WebKit: No signal

Can we ask for WebKit signals https://bit.ly/blink-signals ?

Thanks,
Rego

Steven Bingler

unread,
Nov 30, 2020, 11:23:18 AM11/30/20
to blink-dev, Manuel Rego, Steven Bingler
Manuel,

I'm waiting on Webkit's response to my request for position. I've just pinged the thread again.

Steven

Yoav Weiss

unread,
Nov 30, 2020, 11:29:47 AM11/30/20
to Steven Bingler, blink-dev, Manuel Rego
LGTM1

On Mon, Nov 30, 2020 at 5:25 PM Steven Bingler <bin...@chromium.org> wrote:
Manuel,

I'm waiting on Webkit's response to my request for position. I've just pinged the thread again.

Oh, you could've linked to the fact that we asked for a position a while back and are still waiting on a response.
If we'd hear from them, that's great, but no need to block in this case.
 

Steven
On Thursday, November 26, 2020 at 6:44:29 AM UTC-5 Manuel Rego wrote:
Everything looks good.

On 23/11/2020 22:47, Steven Bingler wrote:
> WebKit: No signal

Can we ask for WebKit signals https://bit.ly/blink-signals ?

Thanks,
Rego

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/fbb21623-fd8f-41f4-acb9-781719778deen%40chromium.org.

Manuel Rego Casasnovas

unread,
Nov 30, 2020, 12:54:00 PM11/30/20
to Yoav Weiss, Steven Bingler, blink-dev
LGTM2

On 30/11/2020 17:29, Yoav Weiss wrote:
> *LGTM1*
>
> On Mon, Nov 30, 2020 at 5:25 PM Steven Bingler <bin...@chromium.org
> <mailto:bin...@chromium.org>> wrote:
>
> Manuel,
>
> I'm waiting on Webkit's response to my request for position. I've
> just pinged the thread again
> <https://lists.webkit.org/pipermail/webkit-dev/2020-November/031618.html>.
>
>
> Oh, you could've linked to the fact that we asked for a position a while
> back and are still waiting on a response.
> If we'd hear from them, that's great, but no need to block in this case.

Oh yeah, I saw "No signal" and no links to the mail asking for signals,
so I didn't know you already asked there. Sorry about that.

Bye,
Rego

>  
>
>
> Steven
> On Thursday, November 26, 2020 at 6:44:29 AM UTC-5 Manuel Rego wrote:
>
> Everything looks good.
>
> On 23/11/2020 22:47, Steven Bingler wrote:
> > WebKit: No signal
>
> Can we ask for WebKit signals https://bit.ly/blink-signals ?
>
> Thanks,
> Rego
>
> --
> You received this message because you are subscribed to the Google
> Groups "blink-dev" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to blink-dev+...@chromium.org
> <mailto:blink-dev+...@chromium.org>.
> To view this discussion on the web visit
> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/fbb21623-fd8f-41f4-acb9-781719778deen%40chromium.org
> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/fbb21623-fd8f-41f4-acb9-781719778deen%40chromium.org?utm_medium=email&utm_source=footer>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "blink-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to blink-dev+...@chromium.org
> <mailto:blink-dev+...@chromium.org>.
> To view this discussion on the web visit
> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACj%3DBEgVHQBe1K3ZbWf1J_JDOapSmWZ9R9vrFphNODswESs%3Ddg%40mail.gmail.com
> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACj%3DBEgVHQBe1K3ZbWf1J_JDOapSmWZ9R9vrFphNODswESs%3Ddg%40mail.gmail.com?utm_medium=email&utm_source=footer>.
pEpkey.asc

Jochen Eisinger

unread,
Dec 1, 2020, 1:16:28 AM12/1/20
to Manuel Rego Casasnovas, Yoav Weiss, Steven Bingler, blink-dev
lgtm3

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/c0ab69fc-0b22-fc23-22a1-a2c50668efa3%40igalia.com.
Reply all
Reply to author
Forward
0 new messages