- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Thu, 6 Aug 2020 08:11:28 -0700
- To: Marcin Piosek <marcin@piosek.pl>
- Cc: public-webappsec@w3.org
Also, Dominic clarified that the ads use case is not a big use case and mostly the focus is pre-rendering. Thanks for the links; those are very helpful. It seems its still not clear what the decision is though. Chrome already shipped with sending lax same-site cookies. On Thu, 6 Aug 2020 at 00:09, Marcin Piosek <marcin@piosek.pl> wrote: > > Hello Devdatta, > > This issue is already under discussion: > > https://github.com/WICG/portals/issues/182 > https://github.com/WICG/portals/issues/184 > > Cheers, > Piochu > > On Thu, 6 Aug 2020 at 04:47, Devdatta Akhawe <dev.akhawe@gmail.com> wrote: >> >> (I wasn't sure whats the right mailing list for such questions. >> apologies if this is not it.) >> >> hi >> >> It seems right now, a portal request can allow making a cross-site >> request that sends (lax) same-site cookies cross origin without a full >> on page navigation / popup. On one hand, it is reasonable because the >> aim of the portal could be seen as "prerendering content in advance >> for navigation". On the other hand, the portal spec talks about use >> cases [1] for portals being "iframes used for ads being replaced with >> portals". In that case, it seems wrong to allow portal requests to >> send samesite cookies. I was wondering what everyone thought about >> portal's interaction with same site cookies? I couldn't find any >> mention of cookies in the portal spec nor of portal in the same-site >> cookie spec. >> >> (btw, I had this question mostly cos I was looking at Dominic's >> question on CSP and Portals[2]) >> >> cheers >> Dev >> >> >> [1] https://github.com/WICG/portals#use-cases >> [2] https://github.com/w3c/webappsec-csp/issues/437 >>
Received on Thursday, 6 August 2020 15:11:53 UTC