- From: Mike West <notifications@github.com>
- Date: Mon, 28 Oct 2019 22:51:06 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 29 October 2019 05:51:08 UTC
> What if there was an additional SameSite mode between none and lax, which meant that cross-site requests are allowed to send the cookie, provided that the domain of the origin is "allowed". If you squint a bit, this is more or less what I proposed in https://tools.ietf.org/html/draft-west-cookie-samesite-firstparty. Given our experience thus far with changing `SameSite`'s default behavior in Chromium, this kind of thing is more difficult then we expected it to be. The behavior of [some browsers](https://www.chromium.org/updates/same-site/incompatible-clients) (thos on iOS 12 in particular) make deployments complicated. We did a bad job keeping that joint oiled, and I think it's going to be more trouble than it's worth to bend any further than we're already pushing it. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/769#issuecomment-547267489
Received on Tuesday, 29 October 2019 05:51:08 UTC