Re: [w3c/ServiceWorker] Add new environment settings object field "cross site ancestry" for SameSite cookies work (PR #1775) from Yoshisato Yanagisawa on 2025-07-28 (public-webapps-github@w3.org from July 2025)

From: Yoshisato Yanagisawa <notifications@github.com>
Date: Mon, 28 Jul 2025 00:00:26 -0700
To: w3c/ServiceWorker <ServiceWorker@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/ServiceWorker/pull/1775/review/3060748392@github.com>

@yoshisatoyanagisawa commented on this pull request.



> @@ -3065,6 +3065,11 @@ spec: storage; urlPrefix: https://storage.spec.whatwg.org/
               :: Return |serviceWorker|'s [=service worker/script url=].
               : The [=environment settings object/origin=]
               :: Return its registering [=/service worker client=]'s [=environment settings object/origin=].
+              : The [=environment settings object/cross site ancestry=]
+              :: Return its registering [=/service worker client=]'s [=environment settings object/cross site ancestry=].
+                <div class="note">
+                  Note: If service workers are not partitioned by the [=environment settings object/cross site ancestry=], clients must include logic to use the initial  [=/http fetch=]'s [=/request=]'s [=request/client=]'s [=environment settings object/cross site ancestry=] when determining the "<code>SameSite</code>" mode.

Hi @annevk, Thank you for the review and sorry for the delay in my response.

You're correct, and I agree with removing this note. It's not appropriate to define requirements within a spec note.

Let me clarify the uncertainty that led me to suggest it in the first place. My core question is: Is storage partitioning considered a normative requirement for a compliant ServiceWorker implementation?

If all compliant user agents must implement storage partitioning, then as you said, we don't need to consider the non-partitioned case, and this note is simply noise.

However, if partitioning is not a hard requirement, I am concerned about the scenario where a non-partitioned ServiceWorker intercepts a fetch from a cross-site iframe. It might incorrectly determine the `cross-site ancestry` to be `false`, leading to an unintended relaxation of `SameSite` cookie protections. The note was a flawed attempt to bridge that potential gap.

Given your expertise on the platform, I'd appreciate your guidance here. Should the ServiceWorker spec be written with the assumption that storage partitioning is present? Or should we add normative text (not a note) to ensure the `cross-site ancestry` is handled safely even in a non-partitioned context?

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3c/ServiceWorker/pull/1775#discussion_r2234962657
You are receiving this because you are subscribed to this thread.

Message ID: <w3c/ServiceWorker/pull/1775/review/3060748392@github.com>

Received on Monday, 28 July 2025 07:00:30 UTC