Standardizing Security Semantics for Cross-Site Cookies

[DCtheTall]

Request for Mozilla Position on an Emerging Web Specification

• Specification Title: Standardizing Security Semantics of Cross-Site Cookies
• Specification or proposal URL (if available): N/A
• Explainer URL (if available): https://github.com/DCtheTall/standardizing-cross-site-cookie-semantics
• Caniuse.com URL (optional): N/A
• Bugzilla URL (optional): N/A
• Mozillians who can provide input (optional): @dveditz @bvandersloot-mozilla

Other information

This document proposes to standardize the security semantics of cross-site cookies when third-party cookie blocking is enabled. The main points we would like to make standard behavior are:

• Block third-party cookies from being written or read by same-site embeds with cross-site ancestors (aka ABA embeds) unless the embed is granted storage access.
• Block cookies in first-party subresource requests that were redirects from third-party URLs.
• Allows cookies to be sent in top-level POST navigation requests to continue supporting prevalent use cases like 3D-Secure.

Since this behavior causes third-party cookie blocking to be stricter in Gecko than the current state (particularly for ABA embeds) we can work with you to minimize the compat impact.

[dveditz]

A bit of a nitpick, but what "standard" are we supposed to have a position on? There's a link to an explainer, but this looks very "pre-standard" and I'm not sure our standards position process is intended for discussions that are in that stage.

[zcorpan]

I'm not sure our standards position process is intended for discussions that are in that stage.

I've filed #808

[johannhof]

Hey Dan, that's a fair point. We're aiming to pick this up as a WG Note for WebAppSec and would appreciate your early input to the explainer, but I understand if this issue is not actionable for deriving a position on at the moment. We'll get back to you when there's been some progress.