-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cross-site cookies standardization, part 2 #19
Comments
I think all these are super important to figure out and discuss, I just wonder if our regular meeting format can allow folks to properly deep dive into those (maybe with some preparatory coordination beforehand). |
I figured I'd at least have some slides next time (help appreciated) to set context and obviate the need for some of the questions that we ended up with yesterday, but I'd also be happy to discuss these with a smaller group. |
Meeting slides: https://docs.google.com/presentation/d/1OBR1mfp_EEBOQJr26tQd6LUmU8CmZOClQqVBMjSabd4/edit. Meeting minutes: https://github.com/privacycg/meetings/blob/main/2022/telcons/05-12-minutes.md. Follow-up issue on A1 -> B -> A2 (and SameSite=None): privacycg/storage-partitioning#31. Related issue on keying in CHIPS: privacycg/CHIPS#40. I think this can be closed. @johannhof @krgovind can you double check? |
We can probably close this, but I think it might be worth tracking the larger discussion around SameSite=None and what would happen to it in a world without third party cookies (what about POST requests, do we still need "lax"?). Do you think storage-partitioning is the right place for that? |
Yeah, let's track cookie issues that don't have a good home there for now. I also realized we don't have a good issue there for exposing partitionedness so I'm filing that as well. |
We met at TPAC to continue this discussion (slides, I don't think we had a scribe which is entirely my fault), here's a summary of what we ended up discussing and agreeing on: Cookie Layering:
Cross-site cookies vs.
Thank you everyone for a great productive chat! |
cc @krgovind |
@krgovind made me aware of two small additions to the above:
|
I think when Embracing |
Ok, yeah, I actually agree with that, thanks for following up! |
I've done some triage to figure out if there are additional items that warrant discussion. Building on #16 and what did not get addressed in yesterday's meeting, that gives:
SameSite=None
.Sec-Fetch-Ancestors
? w3c/webappsec-fetch-metadata#56 & Fetch-Metadata to indicate when the browser is in a partitioned context w3c/webappsec-fetch-metadata#80 (see User agents should indicate to servers whether a request is cross-site CHIPS#2 for context).(Obviously open for further additions, but I figured I'd file this directly to keep track of it.)
Edit: I moved what is now 6 to the end as it's somewhat unrelated to cookies.
The text was updated successfully, but these errors were encountered: