Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Standardizing Security Semantics of Cross-Site Cookies #191

Open
DCtheTall opened this issue May 24, 2023 · 2 comments
Open

Standardizing Security Semantics of Cross-Site Cookies #191

DCtheTall opened this issue May 24, 2023 · 2 comments
Assignees
@johnwilander @annevk
Labels
blocked Coming to a position is blocked on issues identified with the spec or proposal. concerns: venue This proposal is in the wrong standards/incubation venue, or it's not in a venue at all from: Google Proposed, edited, or co-edited by Google. topic: privacy topic: security

Comments

@DCtheTall
Copy link

WebKittens

@annevk @johnwilander

Title of the spec

Standardizing Security Semantics of Cross-Site Cookies

URL to the spec

https://github.com/DCtheTall/standardizing-cross-site-cookie-semantics

URL to the spec's repository

No response

Issue Tracker URL

No response

Explainer URL

No response

TAG Design Review URL

No response

Mozilla standards-positions issue URL

mozilla/standards-positions#806

WebKit Bugzilla URL

No response

Radar URL

No response

Description

This document proposes to standardize the security semantics of cross-site cookies when third-party cookie blocking is enabled. The main points we would like to make standard behavior are:

  • Block third-party cookies from being written or read by same-site embeds with cross-site ancestors (aka ABA embeds) unless the embed is granted storage access.
  • Block cookies in first-party subresource requests that were redirects from third-party URLs.
  • Allows cookies to be sent in top-level POST navigation requests to continue supporting prevalent use cases like 3D-Secure.

Since this behavior causes third-party cookie blocking to be stricter in WebKit than the current state (particularly for ABA embeds) we can work with you to minimize the compat impact.
@johnwilander
Copy link

Hi! Thanks for filing. Could you move your spec to a group where it’s under W3C’s governance and has clear rules on intellectual property, please? We try to avoid commenting on things in personal repos. Thanks!

@johannhof
Copy link

Thanks for pointing that out John, and apologies, we'll look into that.

@hober hober added blocked Coming to a position is blocked on issues identified with the spec or proposal. concerns: venue This proposal is in the wrong standards/incubation venue, or it's not in a venue at all topic: privacy topic: security from: Google Proposed, edited, or co-edited by Google. labels Jun 1, 2023
@johannhof johannhof mentioned this issue Sep 28, 2023
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@johnwilander johnwilander

@annevk annevk

Labels
blocked Coming to a position is blocked on issues identified with the spec or proposal. concerns: venue This proposal is in the wrong standards/incubation venue, or it's not in a venue at all from: Google Proposed, edited, or co-edited by Google. topic: privacy topic: security
Projects
Standards Positions Review Backlog
Status: Blocked
Milestone
No milestone
Development

No branches or pull requests
5 participants
@hober @johnwilander @annevk @johannhof @DCtheTall