Fwd: Standardizing Security Semantics of Cross-Site Cookies

Hi all, I wanted to give some visibility to this group around efforts we're
making to improve the security posture of cross-site cookie blocking, in
WebAppSec. We'd love to get your thoughts and questions either in the group
discussion or directly on the repository.

Thanks!

Johann

---------- Forwarded message ---------
From: Johann Hofmann <johannhof@google.com>
Date: Wed, Mar 29, 2023 at 4:27 PM
Subject: Standardizing Security Semantics of Cross-Site Cookies
To: WebAppSec WG <public-webappsec@w3.org>
Cc: Dylan Cutler <dylancutler@google.com>, Kaustubha Govind <
kaustubhag@google.com>


Hi everyone,

Dylan, Kaustubha and I have been working on a new proposal to converge
browsers on semantics for blocking cross-site cookies
<https://github.com/DCtheTall/standardizing-cross-site-cookie-semantics/>,
in the interest of solving security challenges that arise when cross-site
cookies continue to be allowed by default in certain edge cases.

As we've outlined in the document, all browsers perform cross-site cookie
blocking a bit differently, with the main difference being that Chrome
adheres to the "site for cookies
<https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-11#section-5.2.1>"
when determining cross-site-ness for cookie blocking, whereas Firefox and
Safari compare the top-level site without considering the ancestor chain.
This particularly impacts the "ABA" case when a site A embeds another site
B, which then embeds A again.

We would like to default the web platform to the more secure behavior here,
but recognize that we have to consider viable methods for developers to opt
into the less secure alternative. One such method could be the Storage
Access API <https://github.com/privacycg/storage-access>.

There are a lot more details in the document, and we'd appreciate your
feedback. We aim to present this topic at the 04/19 call
<https://github.com/w3c/webappsec/issues/620> and hope to see you all there!

Johann