Re: [whatwg/fetch] SameSite cookies aren't sent on credentialed CORS requests (#769)

> What if there was an additional SameSite mode between none and lax, which meant that cross-site requests are allowed to send the cookie, provided that the domain of the origin is "allowed".

If you squint a bit, this is more or less what I proposed in https://tools.ietf.org/html/draft-west-cookie-samesite-firstparty. Given our experience thus far with changing `SameSite`'s default behavior in Chromium, this kind of thing is more difficult then we expected it to be. The behavior of [some browsers](https://www.chromium.org/updates/same-site/incompatible-clients) (thos on iOS 12 in particular) make deployments complicated. We did a bad job keeping that joint oiled, and I think it's going to be more trouble than it's worth to bend any further than we're already pushing it.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/769#issuecomment-547267489

Received on Tuesday, 29 October 2019 05:51:08 UTC