[whatwg/fetch] Consider unsetting the `credentials flag` for non-secure, cross-site requests. (#936) from Mike West on 2019-09-12 (public-webapps-github@w3.org from September 2019)

From: Mike West <notifications@github.com>
Date: Thu, 12 Sep 2019 01:03:14 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/936@github.com>

There's some interest in ensuring that [`SameSite=None` cookies must also set the `Secure` flag](https://mikewest.github.io/cookie-incrementalism/draft-west-cookie-incrementalism.html#rfc.section.3.2), which would (among other things) have the lovely effect of dropping cookies from non-secure, cross-site requests. It occurs to me that this isn't a robust-enough guarantee, as mechanisms like basic auth could still, in theory, be attached to requests whose cookies have been blocked by the `SameSite` restriction.

I wonder if it would be reasonable to consider making the guarantee more robust by explicitly unsetting requests' `credentials flag` in [HTTP-network-or-cache fetch](https://fetch.spec.whatwg.org/#http-network-or-cache-fetch) if the request is cross-site and non-secure?

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/936

Received on Thursday, 12 September 2019 08:03:57 UTC