[w3ctag/design-reviews] Allowing SameSite=None Cookies in Sandboxed Contexts (Issue #1004) from Anusha Muley on 2024-10-16 (public-webapps-github@w3.org from October 2024)

From: Anusha Muley <notifications@github.com>
Date: Wed, 16 Oct 2024 08:13:48 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/1004@github.com>

こんにちは TAG-さん!

I'm requesting a TAG review for allowing `SameSite=None` cookies in first-party sandboxed contexts in browsers with third-party cookie (3PC) restrictions.

In order to prevent malicious attacks from untrusted content, servers can include a `Content-Security-Policy: sandbox` HTTP header or sandbox attribute on an embedded iframe. This policy results in the browser treating the frame as an opaque origin, and requests originating from it cannot include `SameSite=Strict/Lax` cookies. However, for the purposes of 3PC blocking, the opaque origin also causes the browser to treat same-site subresource embeds on the top-level as cross-site, so `SameSite=None` cookies are also excluded from requests.

To preserve legacy behavior and mitigate future breakage due to 3PC blocking, we would like to introduce a method for servers to indicate to the browser that they wish a sandboxed context to include first-party `SameSite=None` cookies in requests using a `Content-Security-Policy` or HTML `iframe` sandboxing value: `'allow-same-site-none-cookies'`.
 
  - Explainer (minimally containing user needs and example code): 
https://github.com/explainers-by-googlers/csp-sandbox-allow-same-site-none-cookies/blob/main/README.md 
  - User research: N/A
  - Security and Privacy self-review: https://github.com/explainers-by-googlers/csp-sandbox-allow-same-site-none-cookies/blob/main/tag_self_review.md 
  - GitHub repo: https://github.com/explainers-by-googlers/csp-sandbox-allow-same-site-none-cookies 
  - Primary contacts (and their relationship to the specification):
      -  Anusha Muley (@aamuley, Google Chrome, author)
      -  Dylan Cutler (@DCtheTall, Google Chrome, author)
  - Organization/project driving the design: Google Chrome
  - External status/issue trackers for this feature (publicly visible, e.g. Chrome Status): https://chromestatus.com/feature/5090336588955648 

Further details:
  - [X] I have reviewed the TAG's [Web Platform Design Principles](https://www.w3.org/TR/design-principles/)
  - The group where the incubation/design work on this is being done (or is intended to be done in the future): 
Web Application Security WG
  - The group where standardization of this work is intended to be done ("unknown" if not known): unknown
  - Existing major pieces of multi-implementer review or discussion of this design: 
 - Initial Proposal Issue: https://github.com/w3c/webappsec-csp/issues/664 
 - TPAC discussion:  https://pad.w3.org/p/WebAppSec_2024-09-26#L505 
  - Major unresolved issues with or opposition to this design: None so far
  - This work is being funded by: Google


-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/1004
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/1004@github.com>

Received on Wednesday, 16 October 2024 15:13:51 UTC