- From: Mike West <mkwst@google.com>
- Date: Wed, 8 May 2019 08:57:53 +0200
- To: HTTP Working Group <ietf-http-wg@w3.org>
- Message-ID: <CAKXHy=eEOkNUp0r=bucO3jwRRYsVmnw6_xqM5ZWj30OsrWgVSQ@mail.gmail.com>
Hey folks,
Thanks again for the conversations at the recent HTTP Workshop. I was happy
to hear some general support for Doing Something(tm) about cookies, and I
look forward to more conversations about the direction and details of
potential replacements. I owe y'all some responses to threads on HTTP State
Tokens, and I hope to get to those this week.
Still, I got concrete feedback from a few folks that it would be a better
use of our time to focus on improvements to cookies, as they exist today,
and aren't as amazing as we'd like them to be. I suspect you won't be
shocked to learn that I think we can walk and chew gum at the same time,
but I think you also won't be surprised that I'm very much in favor of
incremental improvements to cookies where we see opportunities.
https://mikewest.github.io/cookie-incrementalism/draft-west-cookie-incrementalism.html
("paginated"
at https://tools.ietf.org/html/draft-west-cookie-incrementalism) sketches
out two changes that I hope we can come to concensus on:
1. Treat cookies as `SameSite=Lax` by default.
2. Allow developers to opt-into the status quo behavior by explicitly
setting `SameSite=None`, but require the `Secure` attribute when doing so.
The document linked above spells those out in a bit more detail, and
attempts to justify them both through principle and practical impact.
WDYT?
-mike
Received on Wednesday, 8 May 2019 06:58:27 UTC