info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Intent to Prototype: Schemeful Cookie Same-Site
90 views
Skip to first unread message
Andrea Marchesini
May 18, 2020, 11:46:00 AM5/18/20
to dev-platform
Summary: Modify the definition of same-site
<https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03#section-5.2>
for cookies such that requests on the same registrable domain but across
schemes are considered cross-site instead of same-site. E.g.,
http://site.example and https://site.example will now be considered
cross-site to each other. (Helpfully copied from a similar blink-dev email)
Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1638358
Standard:
https://mikewest.github.io/cookie-incrementalism/draft-west-cookie-incrementalism.html#rfc.section.3.3
Platform coverage: all
Preference: network.cookie.sameSite.schemeful - this pref is set to true in
nightly and early beta to see the level of breakage.
DevTools: no extra work is required for devtools. A console message is
shown when a cookie is not shared/sent because of the schemeful comparison.
Other browsers:
- Chrome intent to prototype:
https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/qB7DKqxkiaA
- Safari: no signal, yet.
web-platform-tests: no WPTs yet. I wrote a few xpcshell to test the cookie
DB migration and the sameSite comparison with and without schemeful, but no
WPTs have been implemented yet.
Mozilla standards position:
https://github.com/mozilla/standards-positions/issues/260
<https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03#section-5.2>
for cookies such that requests on the same registrable domain but across
schemes are considered cross-site instead of same-site. E.g.,
http://site.example and https://site.example will now be considered
cross-site to each other. (Helpfully copied from a similar blink-dev email)
Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1638358
Standard:
https://mikewest.github.io/cookie-incrementalism/draft-west-cookie-incrementalism.html#rfc.section.3.3
Platform coverage: all
Preference: network.cookie.sameSite.schemeful - this pref is set to true in
nightly and early beta to see the level of breakage.
DevTools: no extra work is required for devtools. A console message is
shown when a cookie is not shared/sent because of the schemeful comparison.
Other browsers:
- Chrome intent to prototype:
https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/qB7DKqxkiaA
- Safari: no signal, yet.
web-platform-tests: no WPTs yet. I wrote a few xpcshell to test the cookie
DB migration and the sameSite comparison with and without schemeful, but no
WPTs have been implemented yet.
Mozilla standards position:
https://github.com/mozilla/standards-positions/issues/260
0 new messages