-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Expose partitionedness #32
Comments
If ancestor chain bit gets implemented for CHIPS, SameSite=None cookies would no longer be available in ABA contexts right? @johannhof |
Ancestor chain bit just means it's partitioned by a different key, no? And of course they become available once storage access is granted. :) |
Ah, I'm conflating two things. Makes sense |
I think there are two main questions (each with a follow-up) that web developers may ask here:
With that in mind, I think most of these would be satisfied by supporting two new sets of headers:
I think this neatly separates the question on partitioned cookies from the concern around A1 > B > A2 cookies mentioned above (and handles that concern gracefully, allowing server-side opt in if needed). I'd like to discuss supporting the combination of these headers, to see if others agree and support this work. |
Exposing whether an environment is partitioned, mainly through an HTTP request header, came up in the last cookie discussion privacycg/meetings#19 (again). There's a couple different ideas floating around addressing various use cases around security and developer ergonomics.
Sec-Fetch-Ancestors
? w3c/webappsec-fetch-metadata#56#31 and #25 also relate to this in that for cookies people have suggested a different keying setup, which really drives home the point that we have to be very careful with what we end up doing in this space.
I think having an equivalent to
Sec-Fetch-Site
that tells you something about your ancestor documents (none
,same-origin
,same-site
, orcross-site
) still makes a lot of sense. However, in a A1 -> B -> A2 scenario this header would signal cross-site for A2, which might not make it clear enough it can still setSameSite=None
cookies (depending on how #31 gets decided). It would indicate that CHIPS cookies would work however so maybe that is good enough. (The main alternative I can think of is that we'd expose a separate "what is my site relation with the top-level" header, but I'm not convinced that carries its weight.)The text was updated successfully, but these errors were encountered: