- From: Mike West <mkwst@google.com>
- Date: Mon, 20 Jun 2016 16:34:20 +0200
- To: Craig Francis <craig.francis@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
Received on Monday, 20 June 2016 14:43:29 UTC
-security-dev, public-webappsec to BCC. +ietf-http-wg@w3.org, which is the group you'll probably want to poke at about cookies. On Mon, Jun 13, 2016 at 6:35 PM, Craig Francis <craig.francis@gmail.com> wrote: > Hi, > > I was wondering about the security vs usability in how SameSite=Strict > cookies work. > > At the moment (in Chrome 51 - 53 at least), if you're on a website, and > copy/paste a URL for the current website in to the current tabs address > bar, the SameSite=Strict cookies are sent in that request. > > But if you open a new tab, paste the URL, the requested page does not > include the SameSite=Strict cookies. > This is a bug in Chrome's implementation that I'm poking at. Step 1 of https://tools.ietf.org/html/draft-west-first-party-cookies-07#section-2.1 handles this case, though it's a bit opaque since it requires you to know that a new, user-navigated tab doesn't have a 'client'. I've filed https://github.com/httpwg/http-extensions/issues/201 to add a note to the spec to clarify things. Thanks for the report, and sorry for the delayed response. -mike
Received on Monday, 20 June 2016 14:43:29 UTC