Re: [whatwg/fetch] Request needs to propagate concept of "main frame navigation" (#1327) from Ben Kelly on 2021-10-11 (public-webapps-github@w3.org from October 2021)

From: Ben Kelly <notifications@github.com>
Date: Mon, 11 Oct 2021 09:11:02 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/1327/940164624@github.com>

I'm not sure I follow.  A single "top-level frame" bit seems to be adequate to satisfy [this](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-05#:~:text=In%20the%0A%20%20%20interests,sense%29%20HTTP%0A%20%20%20method.):

"In the interests of providing a drop-in mechanism that mitigates the risk of CSRF attacks, developers may set the "SameSite" attribute in a "Lax" enforcement mode that carves out an exception which sends same-site cookies along with cross-site requests if and only if they are top-level navigations which use a "safe" (in the [RFC7231] sense) HTTP method."

I think the ancestor frame information is captured in "[site for cookies](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-05#section-5.2.1)"?

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1327#issuecomment-940164624

Received on Monday, 11 October 2021 16:11:15 UTC