Re: SameSite=Strict cookies for a user entered URL from Mike West on 2016-06-20 (ietf-http-wg@w3.org from April to June 2016)

From: Mike West <mkwst@google.com>
Date: Mon, 20 Jun 2016 16:34:20 +0200
To: Craig Francis <craig.francis@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAKXHy=eGZYSEbUpQ=JkoB-ryRQyTQnU-4wwE8JBEroATZk+NhQ@mail.gmail.com>

-security-dev, public-webappsec to BCC.
+ietf-http-wg@w3.org, which is the group you'll probably want to poke at
about cookies.

On Mon, Jun 13, 2016 at 6:35 PM, Craig Francis <craig.francis@gmail.com>
wrote:

> Hi,
>
> I was wondering about the security vs usability in how SameSite=Strict
> cookies work.
>
> At the moment (in Chrome 51 - 53 at least), if you're on a website, and
> copy/paste a URL for the current website in to the current tabs address
> bar, the SameSite=Strict cookies are sent in that request.
>
> But if you open a new tab, paste the URL, the requested page does not
> include the SameSite=Strict cookies.
>

This is a bug in Chrome's implementation that I'm poking at. Step 1 of
https://tools.ietf.org/html/draft-west-first-party-cookies-07#section-2.1
handles this case, though it's a bit opaque since it requires you to know
that a new, user-navigated tab doesn't have a 'client'. I've filed
https://github.com/httpwg/http-extensions/issues/201 to add a note to the
spec to clarify things.

Thanks for the report, and sorry for the delayed response.

-mike

Received on Monday, 20 June 2016 14:43:29 UTC