- From: Matt Menke <notifications@github.com>
- Date: Tue, 15 Dec 2020 06:58:10 -0800
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 15 December 2020 14:58:22 UTC
I think sending credentials here is a problem, when it comes to dealing with cross-site tracking. Either we only send SameSite=None cookies (which will be removed in the forseeable future), and will break everyone relying on credentialed reports, or we send SameSite=Lax/Strict cookies, which allows cross-site tracking. We also need to specify the Network Partition Key used for the upload, and the scope of data stored by the reporting API (likely also keyed on the Network Partition Key, again, to protect against cross-site tracking - a site could use a unique ID in the Report-To URL to track individual users). -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/585#issuecomment-745346744
Received on Tuesday, 15 December 2020 14:58:22 UTC