W3C home > Mailing lists > Public > www-tag@w3.org > January 2015

Re: Cookies Settings Observations

From: Yehuda Katz <wycats@gmail.com>
Date: Mon, 26 Jan 2015 20:12:25 +0000
Message-ID: <CAMFeDTWNJi8Ms9H2drGDX8h9vkXsuAZSRr7LvwcEW9SdRG5VZQ@mail.gmail.com>
To: Daniel Appelquist <appelquist@gmail.com>, TAG List <www-tag@w3.org>
I recently asked around about why we don't have a CSP mechanism (or other
opt in) to tell the browser that the cookies of a particular domain are
"same origin only".

I didn't get a satisfactory response, but maybe somebody knows?

On Mon, Jan 26, 2015, 12:03 PM Daniel Appelquist <appelquist@gmail.com>
wrote:

> At the risk of being accused of turning this into a “Safari Support
> Forum,” I would like to make some observations about Safari’s new cookie
> settings. This is not intended as feedback to the Safari team or product,
> which I will file separately, but rather is intended to address some
> conversation we had on this point at the last f2f meeting (initiated by
> Mark, I believe). I’ve been trying to use the Web with Safari with cookie
> settings set to “Allow from current site only,” and I have encountered many
> difficulties. Most of these have been in the context of OAuth sessions (for
> example when trying to “sign in with github” or “sign in with Facebook.”)
> In these cases, setting cookie settings back to “Allow from websites I
> visit” usually remedies the situation. In addition, I’ve had issues with
> sites (such as most recently run by UK Government) that hand you off to a
> 3rd party payment processor (in this case Worldpay) as part of executing a
> translation (I have also filed this as a bug).
>
> My observation is that many production web sites rely on the presence and
> functionality of third party cookies. And when these do not function (for
> example if the cookie settings in Safari are set to “Allow from current
> site only”) the behavior of these sites is to fail silently (e.g. in an
> oauth session you are redirected back to the calling site and aren’t signed
> in but left with no indication why not) or fail with a cryptic message
> (e.g. you get github’s “something went wrong” page but again have specific
> indication that this may have something to do with cookies).
>
> Dan
>
Received on Monday, 26 January 2015 20:12:53 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:57:09 UTC