[whatwg/fetch] SameSite cookies aren't sent on credentialed CORS requests (#769) from Prakash ; on 2018-06-21 (public-webapps-github@w3.org from June 2018)

From: Prakash ; <notifications@github.com>
Date: Thu, 21 Jun 2018 15:55:30 +0000 (UTC)
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/769@github.com>

Since CORS is to enable SOP bypass, cookies are expected to be sent along as long as the request is permitted. And, CORS does have the policy to only allow credential requests. 

Currently, even if a site explicitly allows credentialed CORS requests from 3rd domains, SameSite cookies aren't sent. This might break some sites if only authenticated requests are served.

Since CORS is a opt-in mechanism, it would be nice to act as the policy says. If it allows credentialed requests, SameSite cookies should be sent as well.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/769

Received on Thursday, 21 June 2018 15:55:55 UTC