W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2020

Re: portals and same site cookies?

From: Marcin Piosek <marcin@piosek.pl>
Date: Thu, 6 Aug 2020 09:09:03 +0200
Message-ID: <CACmZnZApmXjPGqv=mLzdYvSfLSB+F8TSe-JBNX7J+wgW4vxHNw@mail.gmail.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: public-webappsec@w3.org
Hello Devdatta,

This issue is already under discussion:

   - https://github.com/WICG/portals/issues/182
   - https://github.com/WICG/portals/issues/184

Cheers,
Piochu

On Thu, 6 Aug 2020 at 04:47, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:

> (I wasn't sure whats the right mailing list for such questions.
> apologies if this is not it.)
>
> hi
>
> It seems right now, a portal request can allow making a cross-site
> request that sends (lax) same-site cookies cross origin without a full
> on page navigation  / popup. On one hand, it is reasonable because the
> aim of the portal could be seen as "prerendering content in advance
> for navigation". On the other hand, the portal spec talks about use
> cases [1] for portals being "iframes used for ads being replaced with
> portals". In that case, it seems wrong to allow portal requests to
> send samesite cookies. I was wondering what everyone thought about
> portal's interaction with same site cookies? I couldn't find any
> mention of cookies in the portal spec nor of portal in the same-site
> cookie spec.
>
> (btw, I had this question mostly cos I was looking at Dominic's
> question on CSP and Portals[2])
>
> cheers
> Dev
>
>
> [1] https://github.com/WICG/portals#use-cases
> [2] https://github.com/w3c/webappsec-csp/issues/437
>
>
Received on Thursday, 6 August 2020 12:20:12 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 6 August 2020 12:20:13 UTC