W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2016

FYI: Chrome plans to ship an implementation of same-site cookies.

From: Mike West <mkwst@google.com>
Date: Fri, 25 Mar 2016 10:35:57 +0100
Message-ID: <CAKXHy=dSspkE9EC2aKQ8nU21MPapzMLtsWQXpP-tnhu0pHTpZg@mail.gmail.com>
To: HTTP Working Group <ietf-http-wg@w3.org>, Mark Goodwin <mgoodwin@mozilla.com>
Hello, HTTP WG folks who are interested in cookies. :)

We've talked on and off about same-site cookies as a defense in depth
against CSRF and related attacks; I think they're solidly enough defined to
ship and let folks begin experimenting with. We plan on pushing them out
the door in Chrome ~51, and I hear that folks at Mozilla are planning on
beginning an implementation in Q2:

Spec: https://tools.ietf.org/html/draft-west-first-party-cookies

Intent to Ship:

There's a very slightly updated -07 that I'll upload once things open up
again, but it doesn't contain any normative changes. Feedback on the
existing text (or Chrome's implementation) would be much appreciated.

Received on Friday, 25 March 2016 09:36:45 UTC

This archive was generated by hypermail 2.3.1 : Friday, 25 March 2016 09:36:48 UTC