[w3ctag/design-reviews] `SameSite=Lax` by default. (#373) from Mike West on 2019-05-08 (public-webapps-github@w3.org from May 2019)

From: Mike West <notifications@github.com>
Date: Tue, 07 May 2019 23:33:04 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/373@github.com>

Guten TAG,

**I'm requesting a TAG review of:**

  - Name: Incrementally Better Cookies
  - Specification URL: https://mikewest.github.io/cookie-incrementalism/draft-west-cookie-incrementalism.html
  - Explainer, Requirements Doc, or Example code: The spec is fairly short, and (I hope!) readably explanatory.
  - Tests: We'll be adding some `.tentative` WPT shortly.
  - Primary contacts: @mikewest, @morlovich

**Further details (optional):**

TL;DR: We're proposing treating cookies as [`SameSite=Lax`](https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03#section-4.1.2.7) by defaul. Developers would be able to opt-into the status quo by explicitly asserting `SameSite=None`, but to do so, they'll also need to ensure that their cookies won't be delivered over non-secure transport by asserting the `Secure` attribute. [The specification](https://mikewest.github.io/cookie-incrementalism/draft-west-cookie-incrementalism.html) ([paginated](https://tools.ietf.org/html/draft-west-cookie-incrementalism)) spells out the proposal in a bit more detail.

  - Relevant time constraints or deadlines: We'd like to begin experimenting with this behavior in the relatively near future, but we're not planning on shipping it tomorrow.
  - [X] I am more or less familiar with the [Self-Review Questionnare on Security and Privacy](https://www.w3.org/TR/security-privacy-questionnaire/). My assessment is that this is a privacy-positive change, as it entails a strict reduction in cookies going over the wire in plaintext.
  - [X] I have reviewed the TAG's [API Design Principles](https://w3ctag.github.io/design-principles/)

**We'd prefer the TAG provide feedback as (please select one):**

  - [ ] open issues in our GitHub repo for each point of feedback
  - [ ] open a single issue in our GitHub repo for the entire review
  - [X] leave review feedback as a comment in this issue and @-notify [github usernames]

**Thanks!**

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/373

Received on Wednesday, 8 May 2019 06:33:27 UTC