Intent to implement: Cookie SameSite=lax by default and SameSite=none only if secure

[Andrea Marchesini]

Link to the proposal:
https://tools.ietf.org/html/draft-west-cookie-incrementalism-00

Summary:
"1. Treat the lack of an explicit "SameSite" attribute as
"SameSite=Lax". That is, the "Set-Cookie" value "key=value" will
produce a cookie equivalent to "key=value; SameSite=Lax".
Cookies that require cross-site delivery can explicitly opt-into
such behavior by asserting "SameSite=None" when creating a
cookie.
2. Require the "Secure" attribute to be set for any cookie which
asserts "SameSite=None" (similar conceptually to the behavior for
the "__Secure-" prefix). That is, the "Set-Cookie" value
"key=value; SameSite=None; Secure" will be accepted, while
"key=value; SameSite=None" will be rejected."

Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1551798

Platform coverage: all

Estimated or target release: 69 - behind pref

Preferences behind which this will be implemented:
- network.cookie.sameSite.laxByDefault
- network.cookie.sameSite.noneRequiresSecure (this requires the previous
one to be set to true)

Is this feature enabled by default in sandboxed iframes? yes.

Do other browser engines implement this?
- Chrome is implementing/experimenting this feature:
https://blog.chromium.org/2019/05/improving-privacy-and-security-on-web.html
- Safari: no signal yet.

web-platform-tests: There is a pull-request
https://github.com/web-platform-tests/wpt/pull/16957
Implementing this feature, I added a mochitest to inspect cookies via
CookieManager.

Is this feature restricted to secure contexts? no

[Frederik Braun]

Having read the proposal, I think it's a good mechanism for us to know
about websites that want third-party cookies and it seems less costly to
deploy for websites than Storage Access API.

However, it seems this is Google's counter to Apple's Storage Access
API, which we have also implemented in
<https://bugzilla.mozilla.org/show_bug.cgi?id=1469714>.

What's our plan here? Offer both and find out what's going to get more
traction?

Am 23.05.19 um 10:33 schrieb Andrea Marchesini:

> _______________________________________________
> dev-platform mailing list
> dev-pl...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
>

[Mike West]

On Thu, May 23, 2019 at 10:53 AM Frederik Braun <fbr...@mozilla.com> wrote:

> Having read the proposal, I think it's a good mechanism for us to know
> about websites that want third-party cookies and it seems less costly to
> deploy for websites than Storage Access API.
>
> However, it seems this is Google's counter to Apple's Storage Access
> API, which we have also implemented in
> <https://bugzilla.mozilla.org/show_bug.cgi?id=1469714>.
>

IMO, these are not at all mutually exclusive. Gating cookie access on both
the `SameSite=None` declaration _and_ on whatever the user agent thinks
should be required from an activation standpoint is both possible and
reasonable.

-mike

[pajero...@gmail.com]

[ginfu...@gmail.com]

在 2019年5月23日星期四 UTC+8下午4:34:14，Andrea Marchesini写道：

[jross...@gmail.com]

[lamba...@pvnccdsb.on.ca]

--
This is a PVNC student account. Please report any abuse to 
help...@pvnccdsb.on.ca <mailto:help...@pvnccdsb.on.ca>.

All
student
emails are scanned for objectionable content. A COPY of that
email will be
sent to the student’s school principal for review.




*Achieving
Excellence in Catholic Education through Learning, Leadership and Service*



Please visit our website at http://www.pvnccdsb.on.ca
<http://www.pvnccdsb.on.ca> or join us on social media:
Facebook:
https://www.facebook.com/pvnccdsb <https://www.facebook.com/pvnccdsb>

Twitter: https://twitter.com/pvnccdsb <https://twitter.com/pvnccdsb>

Youtube: https://www.youtube.com/pvncc <https://www.youtube.com/pvncc>



PVNCCDSB IMPORTANT NOTICE: This information is intended only for the use of
the individual or entity to which it is addressed and may contain
information that is privileged, confidential and exempt from disclosure
under the Municipal Freedom of Information and Protection of Privacy Act.
If the reader of this message is not the intended recipient or the employee
or agent responsible for delivering the message to the intended recipient,
you are hereby notified that any dissemination, distribution or copying of
this communication is strictly prohibited. If you received this
transmission in error, please notify the sender immediately and then
permanently delete this

[2027grue...@aaps.k12.mi.us]

On Thursday, May 23, 2019 at 4:34:14 AM UTC-4, Andrea Marchesini wrote:

> Link to the proposal:
> https://tools.ietf.org/html/draft-west-cookie-incrementalism-00
>

> Summary:yo dudes. were dem cookies at

[jmu...@parrastu.catholic.edu.au]

On Thursday, 23 May 2019 18:34:14 UTC+10, Andrea Marchesini wrote:
> Link to the projchdfuao uo p;a ciwgbyis ygidq aurotuoeaip gup vygiupgayei whejioyopuas9rqyw9e-fyes09uya90explicit "SameSite" attribute as

[001m...@gmail.com]

<001M
>HTML. Is save Thanks

[001m...@gmail.com]

Asi O es mejor +
A cookie associated with a resource at http://trc.taboola.com/ was set with `SameSite=None` but without `Secure`. A future release of Chrome will only deliver cookies marked `SameSite=None` if they are also marked `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5633521622188032.



Add:lpcres.delve.office.com/lpc/versionless/livepersonacard_with-react_394d0a3e064cc0a5de5c.js:16 Some icons were re-registered. Applications should only call registerIcons for any given icon once. Redefining what an icon is may have unintended consequences. Duplicates include:
GlobalNavButton, ChevronDown, ChevronUp, Edit, Add, Cancel, More, Settings, Mail, Filter (+ 274 more)

[kahelim...@gmail.com]

בתאריך יום חמישי, 23 במאי 2019 בשעה 11:34:14 UTC+3, מאת Andrea Marchesini:

[23gpaga...@dc-tech.org]

how you are

[vitinh...@gmail.com]

[brin...@gmail.com]

ЧО КАВО КРЕК?

P.S.-Я ШРЕК

[anatol...@gmail.com]

[anatol...@gmail.com]

On Thursday, 23 May 2019 11:34:14 UTC+3, Andrea Marchesini wrote:

[07ma...@elev.kungalv.se]

[abdulwah...@gmail.com]

[abdulwah...@gmail.com]

On Thursday, May 23, 2019 at 1:34:14 AM UTC-7, Andrea Marchesini wrote:

[jdwri...@gmail.com]

I was just messing around in Italian class how did I get here?

[jdwri...@gmail.com]

AAAAAAAAAAAAAAAAaaaa WHERE AM I

[raqu...@gmail.com]

Em quinta-feira, 23 de maio de 2019 05:34:14 UTC-3, Andrea Marchesini escreveu:

sou curiosa, estou busca de trabalho na área tecnologia, alguém pode me indicar, curso de web! boa tarde

[natnael.h...@kindcentrumoranje-nassau.nl]

Op donderdag 23 mei 2019 10:34:14 UTC+2 schreef Andrea Marchesini:

[hchai...@gmail.com]

[hani...@gmail.com]

[karlhe...@gmail.com]

[karlhe...@gmail.com]

[inletexp...@gmail.com]

[go37...@gmail.com]

[go37...@gmail.com]

[go37...@gmail.com]

On Friday, 8 November 2019 07:43:12 UTC+8, 23gpaga...@dc-tech.org wrote:
> how you are

[go37...@gmail.com]

[go37...@gmail.com]

[go37...@gmail.com]

[go37...@gmail.com]

[go37...@gmail.com]

On Sunday, 5 January 2020 12:27:51 UTC+8, go37...@gmail.com wrote: