W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2020

Re: portals and same site cookies?

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Thu, 6 Aug 2020 08:11:28 -0700
Message-ID: <CAPfop_3m0nrBzd5i7G6NFtpi67utBGs7PMiA+zdxLLkod7HRYg@mail.gmail.com>
To: Marcin Piosek <marcin@piosek.pl>
Cc: public-webappsec@w3.org
Also, Dominic clarified that the ads use case is not a big use case
and mostly the focus is pre-rendering. Thanks for the links; those are
very helpful. It seems its still not clear what the decision is
though. Chrome already shipped with sending lax same-site cookies.

On Thu, 6 Aug 2020 at 00:09, Marcin Piosek <marcin@piosek.pl> wrote:
>
> Hello Devdatta,
>
> This issue is already under discussion:
>
> https://github.com/WICG/portals/issues/182
> https://github.com/WICG/portals/issues/184
>
> Cheers,
> Piochu
>
> On Thu, 6 Aug 2020 at 04:47, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
>>
>> (I wasn't sure whats the right mailing list for such questions.
>> apologies if this is not it.)
>>
>> hi
>>
>> It seems right now, a portal request can allow making a cross-site
>> request that sends (lax) same-site cookies cross origin without a full
>> on page navigation  / popup. On one hand, it is reasonable because the
>> aim of the portal could be seen as "prerendering content in advance
>> for navigation". On the other hand, the portal spec talks about use
>> cases [1] for portals being "iframes used for ads being replaced with
>> portals". In that case, it seems wrong to allow portal requests to
>> send samesite cookies. I was wondering what everyone thought about
>> portal's interaction with same site cookies? I couldn't find any
>> mention of cookies in the portal spec nor of portal in the same-site
>> cookie spec.
>>
>> (btw, I had this question mostly cos I was looking at Dominic's
>> question on CSP and Portals[2])
>>
>> cheers
>> Dev
>>
>>
>> [1] https://github.com/WICG/portals#use-cases
>> [2] https://github.com/w3c/webappsec-csp/issues/437
>>
Received on Thursday, 6 August 2020 15:11:53 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 6 August 2020 15:11:54 UTC