bin...@chromium.org, davi...@chromium.org, kaust...@chromium.org, mike...@chromium.org
https://github.com/sbingler/schemeful-same-site
Specification
https://github.com/httpwg/http-extensions/pull/1324
https://docs.google.com/document/d/1gTQAljDySGAY9P52zXHqJsnAgYB_38YT2CiKmcl4elg/
SummaryModifies the definition of same-site for cookies such that requests on the same registrable domain but across schemes are considered cross-site instead of same-site. E.g., http://site.example and https://site.example will now be considered cross-site to each other. Current plans target a gradual rollout in M88, while monitoring ecosystem impact via metrics and bug reports.
Blink componentSearch tagsSameSite, Same-site, same site, scheme, schemeful
TAG reviewhttps://github.com/w3ctag/design-reviews/issues/497
TAG review statusIssues addressed
RisksSites relying on changed behaviors may break. Current metrics show that, as of Nov 1th 2020, 0.27% of all page visits will have at least a single cookie blocked. Of the total cookies sent however, only 0.01% will be blocked. Manual investigation into sites with blocked cookies have turned up no functional changes (with the caveat that these behavior changes may be hidden behind log-ins which were not tested). Pre-stable experiments (50% Canary/Dev/Beta) have resulted in 0 bug reports as of this posting.
Gecko: Positive (https://github.com/mozilla/standards-positions/issues/260)
Edge: Neutral (https://groups.google.com/a/chromium.org/d/msg/blink-dev/qB7DKqxkiaA/w0XzGvEyBAAJ)
WebKit: No signal
Web developers: No signals
ActivationNo activation is required.
DebuggabilityWarning messages have been added to the DevTools Issues Tab to notify developers when a cookie has been blocked.
The policies LegacySameSiteCookieBehaviorEnabled and LegacySameSiteCookieBehaviorEnabledForDomainList may be used to completely disable “Schemeful Same-Site” or to disable only for a list of domains, respectively.
Yes
All platforms except for WebView will be supported at launch. WebView support will come later due to compatibility issues.
Is this feature fully tested by web-platform-tests?Yes
Tracking bugLaunch bugLink to entry on the Chrome Platform Statushttps://www.chromestatus.com/feature/5096179480133632
Links to previous Intent discussionsIntent to prototype: https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/qB7DKqxkiaA32
Manuel,I'm waiting on Webkit's response to my request for position. I've just pinged the thread again.
StevenOn Thursday, November 26, 2020 at 6:44:29 AM UTC-5 Manuel Rego wrote:Everything looks good.
On 23/11/2020 22:47, Steven Bingler wrote:
> WebKit: No signal
Can we ask for WebKit signals https://bit.ly/blink-signals ?
Thanks,
Rego
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/fbb21623-fd8f-41f4-acb9-781719778deen%40chromium.org.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/c0ab69fc-0b22-fc23-22a1-a2c50668efa3%40igalia.com.