W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2016

FYI: Chrome plans to ship an implementation of same-site cookies.

From: Mike West <mkwst@google.com>
Date: Fri, 25 Mar 2016 10:35:57 +0100
Message-ID: <CAKXHy=dSspkE9EC2aKQ8nU21MPapzMLtsWQXpP-tnhu0pHTpZg@mail.gmail.com>
To: HTTP Working Group <ietf-http-wg@w3.org>, Mark Goodwin <mgoodwin@mozilla.com>
Hello, HTTP WG folks who are interested in cookies. :)

We've talked on and off about same-site cookies as a defense in depth
against CSRF and related attacks; I think they're solidly enough defined to
ship and let folks begin experimenting with. We plan on pushing them out
the door in Chrome ~51, and I hear that folks at Mozilla are planning on
beginning an implementation in Q2:

Spec: https://tools.ietf.org/html/draft-west-first-party-cookies

Intent to Ship:
https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/csCtW3M3-wg

There's a very slightly updated -07 that I'll upload once things open up
again, but it doesn't contain any normative changes. Feedback on the
existing text (or Chrome's implementation) would be much appreciated.

-mike
Received on Friday, 25 March 2016 09:36:45 UTC

This archive was generated by hypermail 2.3.1 : Friday, 25 March 2016 09:36:48 UTC