Contact emails anushamu...@chromium.org, dylancut...@chromium.org Explainer
https://github.com/explainers-by-googlers/csp-sandbox-allow-same-site-none-cookies Specification None Summary Enable a frame to signal the browser to include SameSite=None cookies in first-party requests from sandboxed frames when third-party cookie (3PC) restrictions are active using the allow-same-site-none-cookies value. Blink component Chromium > Blink > SecurityFeature > ContentSecurityPolicy Motivation To prevent malicious attacks from untrusted content, servers can include a Content-Security-Policy HTTP header or iframe attribute to sandbox a page. This policy results in the browser treating the page as an opaque origin, which prevents requests originating from this page from including SameSite=Strict/Lax cookies. Considering an example webpage at storage.example.com where users upload untrusted code, the owners may choose to sandbox the page to restrict user scripts from being run. Due to this sandboxing, only SameSite=None cookies can be used for access control. However, this creates an issue if third-party cookies (3PCs) are blocked— particularly for sandboxed frames that are same-site with respect to the top-level site (including possibly the top-level frame itself). All subresource requests from storage.example.com would be considered cross-site in the context of 3PC blocking and requests from these sandboxed pages will no longer even have their SameSite=None cookies. Even though the cookies are not being sent in a truly cross-site context, access-controlled content such as embedded media would not be included on the page. This proposal allows servers to restore existing behavior and ensure these cookies are included in same-site requests, which can mitigate potential 3PC-blocking-related breakage. Initial public proposal https://github.com/w3c/webappsec-csp/issues/664 TAG review https://github.com/w3ctag/design-reviews/issues/1004 TAG review status Requested Risks Interoperability and Compatibility None Gecko: No signal WebKit: No signal Web developers: No signal Other signals: N/A WebView application risks Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications? No Debuggability None Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> ? No Flag name on chrome://flags None Finch feature name ‘AllowSameSiteNoneCookiesInSandbox’ Non-finch justification None Requires code in //chrome? No Tracking bug https://g-issues.chromium.org/u/0/issues/372894175 Estimated milestones TBD Link to entry on the Chrome Platform Status https://chromestatus.com/feature/5090336588955648 -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/f89dec9c-ba10-4c4a-b208-7804ab5d32d7n%40chromium.org.
