W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2020

portals and same site cookies?

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Wed, 5 Aug 2020 19:45:42 -0700
Message-ID: <CAPfop_1zvZ6kuO47MBaABLfAJJJO=uqiqY7MR7T4S48h_VHeFw@mail.gmail.com>
To: public-webappsec@w3.org
(I wasn't sure whats the right mailing list for such questions.
apologies if this is not it.)

hi

It seems right now, a portal request can allow making a cross-site
request that sends (lax) same-site cookies cross origin without a full
on page navigation  / popup. On one hand, it is reasonable because the
aim of the portal could be seen as "prerendering content in advance
for navigation". On the other hand, the portal spec talks about use
cases [1] for portals being "iframes used for ads being replaced with
portals". In that case, it seems wrong to allow portal requests to
send samesite cookies. I was wondering what everyone thought about
portal's interaction with same site cookies? I couldn't find any
mention of cookies in the portal spec nor of portal in the same-site
cookie spec.

(btw, I had this question mostly cos I was looking at Dominic's
question on CSP and Portals[2])

cheers
Dev


[1] https://github.com/WICG/portals#use-cases
[2] https://github.com/w3c/webappsec-csp/issues/437
Received on Thursday, 6 August 2020 02:46:08 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 6 August 2020 02:46:09 UTC