[w3ctag/design-reviews] Standardizing Security Semantics of Cross-Site Cookies (Issue #904)

Guten TAG!

I'm requesting a TAG review of our proposal to align browsers on a secure and consistent model for blocking cross-site cookies.

While there's relative consensus that "third-party" (or cross-site) cookie blocking is desirable for user privacy, the details are entirely unspecified at the moment. As a major pain point, it's unclear how cross-site cookie blocking interacts with the `SameSite` cookie attribute, which is a definition of "cross-site" that takes into account not simply the plain relationship of an embed with its top-level browsing context, but also various other security-related factors such as the presence of a cross-site ancestor, the request methods and top-level redirects.

We have proposed a resolution to this problem, arguing that cross-site cookie blocking should indeed prevent cookies being loaded in most `SameSite=None` type scenarios going forward. Specifically, we make the assertion that the `SameSite` attribute as-is does not sufficiently protect sites from attacks given the lack of granular control for developers.

  - Explainer¹ (minimally containing user needs and example code): https://github.com/DCtheTall/standardizing-cross-site-cookie-semantics/blob/main/README.md
  - User research: N/A
  - Security and Privacy self-review²: Probably N/A, the document itself is a security review
  - GitHub repo (if you prefer feedback filed there): https://github.com/DCtheTall/standardizing-cross-site-cookie-semantics
  - Primary contacts (and their relationship to the specification):
      - Johann Hofmann (@johannhof), Google, Editor
      - Dylan Cutler (@dcthetall), Google, Editor
      - Kaustubha Govind (@krgovind), Google, Editor
      - Artur Janc (@arturjanc), Google, Editor
  - Organization/project driving the design: Google
  - External status/issue trackers for this feature (publicly visible, e.g. Chrome Status): Chrome plans to ship the recommended behavior as part of its deprecation of third-party cookies in 2024, which is tracked in https://chromestatus.com/feature/5133113939722240

Further details:

  - [x] I have reviewed the TAG's [Web Platform Design Principles](https://www.w3.org/TR/design-principles/)
  - The group where the incubation/design work on this is being done (or is intended to be done in the future): WebAppSec
  - The group where standardization of this work is intended to be done ("unknown" if not known): WebAppSec
  - Existing major pieces of multi-stakeholder review or discussion of this design:

[Mozilla](https://github.com/mozilla/standards-positions/issues/806) and [Apple](https://github.com/WebKit/standards-positions/issues/191) deferred to officially comment on this document until it moves under WebAppSec.
 
  - Major unresolved issues with or opposition to this design: The standardization of `SameSite=Lax` as the default in the Cookies RFC is more or less stalled by [discussion over temporary web compat measures](https://github.com/httpwg/http-extensions/issues/2104), which is some feedback we've repeatedly heard in relation to our document. We agree that this situation should be resolved, but we also think that this document isn't really dependent on the standardization state of `SameSite` defaults.
  - This work is being funded by: Google

You should also know that we have already discussed this in the WebAppSec WG and agreed to convert this document into a WG Note, which will also contain additional guidance for user agents on how to securely restore access to cross-site cookies using APIs such as Storage Access or other methods.

We'd prefer the TAG provide feedback as (please delete all but the desired option):

  💬 leave review feedback as a **comment in this issue** and @-notify @johannhof


-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/904
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/904@github.com>