[w3ctag/design-reviews] Schemeful Same-Site (#497) from Steven Bingler on 2020-04-09 (public-webapps-github@w3.org from April 2020)

From: Steven Bingler <notifications@github.com>
Date: Thu, 09 Apr 2020 10:51:56 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/497@github.com>

Hello TAG! 

I'm requesting a TAG review of Schemeful Same-Site.

The SameSite cookie attribute is designed to defend against CSRF attacks but currently does not take the scheme of the site into account. This was originally to assist sites during their transition to https, however it results in the secure and insecure versions of the same host being considered same-site. A network attacker could thus impersonate http://site.example and use it to bypass SameSite protections on https://site.example. Between this security flaw and HTTPS usage markedly increasing, we believe it is time to change this definition.

Modify SameSite’s implementation in the user agent to consider origins with different schemes as cross-site. Thus https://site.example and http://site.example would now be considered cross-site.

  - Explainer : https://github.com/sbingler/schemeful-same-site

  - Spec: https://mikewest.github.io/cookie-incrementalism/draft-west-cookie-incrementalism.html#rfc.section.3.3

  - Security and Privacy self-review: I'm not sure this applies, please correct me if I'm wrong, as this proposal doesn't expose anything new.
  - Primary contacts (and their relationship to the specification):
      - Steven Bingler (@sbingler, Google)
  - Organization/project driving the design: Google
  - External status/issue trackers for this feature: https://www.chromestatus.com/features/5096179480133632


Further details:

  - [X] I have reviewed the TAG's [API Design Principles](https://w3ctag.github.io/design-principles/)
  - The group where the incubation/design work on this is being done (or is intended to be done in the future): IETF
  - The group where standardization of this work is intended to be done ("unknown" if not known): IETF
  - Existing major pieces of multi-stakeholder review or discussion of this design: None
  - Major unresolved issues with or opposition to this design: N/A, unknown
  - This work is being funded by: Google


We'd prefer the TAG provide feedback as (please delete all but the desired option):

  💬 leave review feedback as a **comment in this issue** and @-notify @sbingler

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/497

Received on Thursday, 9 April 2020 17:52:09 UTC