- From: Ben Kelly <notifications@github.com>
- Date: Fri, 08 Oct 2021 08:38:08 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/1327@github.com>
As discussed in #1321 we want to propagate the internal origin field when a Request constructor copies another request without modifying it. One of the reasons for this is so that SameSite cookies will work properly when there is a pass-through service worker handler. Unfortunately, during the discussion at the F2F call (w3c/ServiceWorker#1604) I forgot to mention another problem. SameSite cookie computation currently depends on if the request is for a top-level main frame navigation: https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-05#section-5.3.7.1 This is used to expose `SameSite=LAX` cookies on these main frame navigations. In addition, I believe at least chrome defaults cookies to `SameSite=LAX` if there is no SameSite attribute. This means that if we want to propagate the origin we probably need to propagate some "main frame navigation" bit as well. Otherwise sites may suddenly start losing cookies on cross-site navigations when they add a service worker. Ideally we would just propagate the request destination to achieve this. Unfortunately, this also has difficulties as discussed in #1323; e.g. changing the destination would change CSP enforcement behavior. So that leaves us with an internal "main frame flag" or an internal "original destination" field. What do folks think? @annevk, @arturjanc, @jakearchibald, @asutherland, @youennf -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/1327
Received on Friday, 8 October 2021 15:38:20 UTC