- From: Marcin Piosek <marcin@piosek.pl>
- Date: Thu, 6 Aug 2020 09:09:03 +0200
- To: Devdatta Akhawe <dev.akhawe@gmail.com>
- Cc: public-webappsec@w3.org
- Message-ID: <CACmZnZApmXjPGqv=mLzdYvSfLSB+F8TSe-JBNX7J+wgW4vxHNw@mail.gmail.com>
Hello Devdatta, This issue is already under discussion: - https://github.com/WICG/portals/issues/182 - https://github.com/WICG/portals/issues/184 Cheers, Piochu On Thu, 6 Aug 2020 at 04:47, Devdatta Akhawe <dev.akhawe@gmail.com> wrote: > (I wasn't sure whats the right mailing list for such questions. > apologies if this is not it.) > > hi > > It seems right now, a portal request can allow making a cross-site > request that sends (lax) same-site cookies cross origin without a full > on page navigation / popup. On one hand, it is reasonable because the > aim of the portal could be seen as "prerendering content in advance > for navigation". On the other hand, the portal spec talks about use > cases [1] for portals being "iframes used for ads being replaced with > portals". In that case, it seems wrong to allow portal requests to > send samesite cookies. I was wondering what everyone thought about > portal's interaction with same site cookies? I couldn't find any > mention of cookies in the portal spec nor of portal in the same-site > cookie spec. > > (btw, I had this question mostly cos I was looking at Dominic's > question on CSP and Portals[2]) > > cheers > Dev > > > [1] https://github.com/WICG/portals#use-cases > [2] https://github.com/w3c/webappsec-csp/issues/437 > >
Received on Thursday, 6 August 2020 12:20:12 UTC