- From: Craig Francis <craig.francis@gmail.com>
- Date: Mon, 20 Jun 2016 18:03:23 +0100
- To: Mike West <mkwst@google.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
- Message-Id: <FFA2AB1D-CE6C-4BCB-A9C1-F32788F4A8CE@gmail.com>
Great, thanks Mike, I must admit I did read section 2.1 a few times, but I didn't really understand it (I assumed it's written more for browser developers, where the language used is more familiar to them). Craig > On 20 Jun 2016, at 15:34, Mike West <mkwst@google.com> wrote: > > -security-dev, public-webappsec to BCC. > +ietf-http-wg@w3.org <mailto:ietf-http-wg@w3.org>, which is the group you'll probably want to poke at about cookies. > > On Mon, Jun 13, 2016 at 6:35 PM, Craig Francis <craig.francis@gmail.com <mailto:craig.francis@gmail.com>> wrote: > Hi, > > I was wondering about the security vs usability in how SameSite=Strict cookies work. > > At the moment (in Chrome 51 - 53 at least), if you're on a website, and copy/paste a URL for the current website in to the current tabs address bar, the SameSite=Strict cookies are sent in that request. > > But if you open a new tab, paste the URL, the requested page does not include the SameSite=Strict cookies. > > This is a bug in Chrome's implementation that I'm poking at. Step 1 of https://tools.ietf.org/html/draft-west-first-party-cookies-07#section-2.1 <https://tools.ietf.org/html/draft-west-first-party-cookies-07#section-2.1> handles this case, though it's a bit opaque since it requires you to know that a new, user-navigated tab doesn't have a 'client'. I've filed https://github.com/httpwg/http-extensions/issues/201 <https://github.com/httpwg/http-extensions/issues/201> to add a note to the spec to clarify things. > > Thanks for the report, and sorry for the delayed response. > > -mike
Received on Monday, 20 June 2016 17:03:49 UTC