Re: [whatwg/fetch] SameSite cookies aren't sent on credentialed CORS requests (#769) from Thayne McCombs on 2019-10-25 (public-webapps-github@w3.org from October 2019)

From: Thayne McCombs <notifications@github.com>
Date: Fri, 25 Oct 2019 14:16:37 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/769/546516458@github.com>

What if there was an additional SameSite mode between none and lax, which meant that cross-site requests are allowed to send the cookie, provided that the domain of the origin is "allowed". Where "allowed" could either mean matching a whitelist specified in another cookie directive (or part of the SameSite directive), or by making a mandatory preflight to check cors headers.


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/769#issuecomment-546516458

Received on Friday, 25 October 2019 21:16:39 UTC