- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Wed, 5 Aug 2020 19:45:42 -0700
- To: public-webappsec@w3.org
(I wasn't sure whats the right mailing list for such questions. apologies if this is not it.) hi It seems right now, a portal request can allow making a cross-site request that sends (lax) same-site cookies cross origin without a full on page navigation / popup. On one hand, it is reasonable because the aim of the portal could be seen as "prerendering content in advance for navigation". On the other hand, the portal spec talks about use cases [1] for portals being "iframes used for ads being replaced with portals". In that case, it seems wrong to allow portal requests to send samesite cookies. I was wondering what everyone thought about portal's interaction with same site cookies? I couldn't find any mention of cookies in the portal spec nor of portal in the same-site cookie spec. (btw, I had this question mostly cos I was looking at Dominic's question on CSP and Portals[2]) cheers Dev [1] https://github.com/WICG/portals#use-cases [2] https://github.com/w3c/webappsec-csp/issues/437
Received on Thursday, 6 August 2020 02:46:08 UTC