- From: Lily Chen <notifications@github.com>
- Date: Tue, 14 Apr 2020 08:04:59 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3ctag/design-reviews/issues/497/613496794@github.com>
This is not a strict subset of "Scheme-bound cookies". For example: Let's say we navigate to a page with an iframe such as ``` http://foo.com (top level) -> https://foo.com (iframe) ``` And some cookies such as: - `secure_lax=foo; SameSite=Lax; Secure` (set from https://foo.com) - `secure_none=foo; SameSite=None; Secure` (set from https://foo.com) - `insecure_https_lax=foo; SameSite=Lax` (set from https://foo.com) - `insecure_http_lax=foo; SameSite=Lax` (set from http://foo.com) In the "Schemeful Same-Site" world: - The `https://foo.com` iframe gets `secure_none` but no other cookies. (Since `https://foo.com` is cross-site from `http://foo.com` only SameSite=None is allowed.) - The `http://foo.com` main frame gets both the insecure lax cookies: `insecure_https_lax` and `insecure_http_lax`. In the "Scheme-bound cookies" world: - The `https://foo.com` iframe gets `secure_none`, `secure_lax`, `insecure_https_lax` as they were all set from the secure scheme. (And `foo.com` is the site in both cases so SameSite=Lax is ok.) - The `http://foo.com` main frame gets `insecure_http_lax` and no other cookies. (As it was the only one set from the insecure scheme.) Of course we could also apply both: - The `https://foo.com` iframe gets only `secure_none`. - The `http://foo.com` main frame gets only `insecure_http_lax`. - -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/497#issuecomment-613496794
Received on Tuesday, 14 April 2020 15:05:12 UTC