Summary: Modify the definition of same-site <https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03#section-5.2> for cookies such that requests on the same registrable domain but across schemes are considered cross-site instead of same-site. E.g., http://site.example and https://site.example will now be considered cross-site to each other. (Helpfully copied from a similar blink-dev email)
Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1638358 Standard: https://mikewest.github.io/cookie-incrementalism/draft-west-cookie-incrementalism.html#rfc.section.3.3 Platform coverage: all Preference: network.cookie.sameSite.schemeful - this pref is set to true in nightly and early beta to see the level of breakage. DevTools: no extra work is required for devtools. A console message is shown when a cookie is not shared/sent because of the schemeful comparison. Other browsers: - Chrome intent to prototype: https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/qB7DKqxkiaA - Safari: no signal, yet. web-platform-tests: no WPTs yet. I wrote a few xpcshell to test the cookie DB migration and the sameSite comparison with and without schemeful, but no WPTs have been implemented yet. Mozilla standards position: https://github.com/mozilla/standards-positions/issues/260 _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
