Allow sending SameSite=Lax cookies for certain POST requests (FedCM) from Christian Biesinger on 2025-11-04 (ietf-http-wg@w3.org from October to December 2025)

From: Christian Biesinger <cbiesinger@google.com>
Date: Tue, 4 Nov 2025 15:08:15 -0500
To: ietf-http-wg@w3.org
Message-ID: <CAPTJ0XE0xdwgcekBSDTCW3aQM8ofVWUpS8zSduOsMogFQB+umg@mail.gmail.com>

Hello,

I wanted to update this group that I filed a github issue just now that
would allow sending SameSite=Lax cookies for certain POST requests
(specifically, credentialed FedCM requests):
https://github.com/httpwg/http-extensions/issues/3323

SameSite seems to be primarily part of the fetch spec now (
https://fetch.spec.whatwg.org/#cookie-infrastructure) but this group
might be interested as well.

I don't want to repeat the lengthy details from the github issue in this
email but I want to emphasize that if a server does not have a
/.well-known/web-identity file on their eTLD+1 they will not see any change
to their cookies.

https://github.com/w3c-fedid/FedCM/issues/587 has some additional context.

Thanks,
Christian

Received on Tuesday, 4 November 2025 20:08:57 UTC