W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2016

Re: SameSite=Strict cookies for a user entered URL

From: Mike West <mkwst@google.com>
Date: Mon, 20 Jun 2016 16:34:20 +0200
Message-ID: <CAKXHy=eGZYSEbUpQ=JkoB-ryRQyTQnU-4wwE8JBEroATZk+NhQ@mail.gmail.com>
To: Craig Francis <craig.francis@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
-security-dev, public-webappsec to BCC.
+ietf-http-wg@w3.org, which is the group you'll probably want to poke at
about cookies.

On Mon, Jun 13, 2016 at 6:35 PM, Craig Francis <craig.francis@gmail.com>

> Hi,
> I was wondering about the security vs usability in how SameSite=Strict
> cookies work.
> At the moment (in Chrome 51 - 53 at least), if you're on a website, and
> copy/paste a URL for the current website in to the current tabs address
> bar, the SameSite=Strict cookies are sent in that request.
> But if you open a new tab, paste the URL, the requested page does not
> include the SameSite=Strict cookies.

This is a bug in Chrome's implementation that I'm poking at. Step 1 of
handles this case, though it's a bit opaque since it requires you to know
that a new, user-navigated tab doesn't have a 'client'. I've filed
https://github.com/httpwg/http-extensions/issues/201 to add a note to the
spec to clarify things.

Thanks for the report, and sorry for the delayed response.

Received on Monday, 20 June 2016 14:41:10 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:56 UTC