Re: [w3c/ServiceWorker] Add new environment settings object field "cross site ancestry" for SameSite cookies work (PR #1775) from bvandersloot-mozilla on 2025-06-04 (public-webapps-github@w3.org from June 2025)

From: bvandersloot-mozilla <notifications@github.com>
Date: Wed, 04 Jun 2025 05:27:19 -0700
To: w3c/ServiceWorker <ServiceWorker@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/ServiceWorker/pull/1775/review/2896534677@github.com>

@bvandersloot-mozilla commented on this pull request.



> @@ -3065,6 +3065,8 @@ spec: storage; urlPrefix: https://storage.spec.whatwg.org/
               :: Return |serviceWorker|'s [=service worker/script url=].
               : The [=environment settings object/origin=]
               :: Return its registering [=/service worker client=]'s [=environment settings object/origin=].
+              : The [=environment settings object/cross site ancestry=]
+              :: Return its registering [=/service worker client=]'s [=environment settings object/cross site ancestry=].

> I assume that cross site ancestry is used for noticing 3rd party site ancestry to avoid unexpected cookie access there.

Yes, specifically for the `SameSite` cookie attribute.

> Assuming that the registration has been done by Origin A, but actual usage is fetching from ServiceWorker-controlled iframe Origin A inside Origin B. For that case, I guess fetching inside iframe Origin A can be captured by ServiceWorker registered by the Origin A (not iframe's) if the storage partitioning is disabled. Then, the iframe itself might be cross site ancestry == true but the ServiceWorker intercepting the request might be cross site ancestry == false.  Is it intended behavior?

The intended behavior is to (soon in the spec, currently in implementation) include the `cross site ancestry` into the partition key. That means that this would be entirely fine. 

I do want to make sure not to spec in the issue described here though: https://issues.chromium.org/issues/40053069. That is, a Fetch initiated by Origin A (iframe) but intercepted by a worker that was registered by the top-level Origin A should not get SameSite=Strict cookies, i.e. it's Fetch `client` argument should be an environment settings object with `cross site ancestry` true. I think this is currently correct because the Service Worker itself uses [set up a worker environment settings object](https://html.spec.whatwg.org/multipage/workers.html#set-up-a-worker-environment-settings-object) to build its ESO. I'm updating that in https://github.com/whatwg/html/pull/11133.


-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3c/ServiceWorker/pull/1775#discussion_r2126475276
You are receiving this because you are subscribed to this thread.

Message ID: <w3c/ServiceWorker/pull/1775/review/2896534677@github.com>

Received on Wednesday, 4 June 2025 12:27:23 UTC