Re: FYI: Same-site cookies. from Daniel Appelquist on 2016-03-30 (www-tag@w3.org from March 2016)

From: Daniel Appelquist <appelquist@gmail.com>
Date: Wed, 30 Mar 2016 14:40:01 +0000
To: Mike West <mkwst@google.com>, "www-tag@w3.org List" <www-tag@w3.org>
Cc: Alex Russell <slightlyoff@google.com>, Mark Nottingham <mnot@mnot.net>
Message-ID: <CALiHrgkxdVmWEaJYfh4kcth+Es=HzPh2UyPCYu_79JFB3QUrKA@mail.gmail.com>

Hi Mike – FYI I turned this into a TAG issue here
https://github.com/w3ctag/spec-reviews/issues/114 and we will discuss and
assign this week at our f2f. Dan

On Fri, Mar 25, 2016 at 9:37 AM Mike West <mkwst@google.com> wrote:

> Hello, lovely TAG enthusiasts.
>
> The last few times I've visited with y'all, we've chatted a bit about
> upcoming changes to cookies. I'd like to draw your attention to one in
> particular, as Alex suggested that it might be relevant to some discussions
> you're having regarding the same-origin policy.
>
> We're planning on shipping a `SameSite` attribute (née "First-Party-Only"
> (née "First-Party")) in Chrome ~51 that aims to address CSRF and
> information leakage attacks. I'm pretty excited about it, and folks at
> Mozilla seem equally interested:
>
> Spec: https://tools.ietf.org/html/draft-west-first-party-cookies
>
> Intent to Ship:
> https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/csCtW3M3-wg
>
> Feedback from y'all on this feature or others that you might be interested
> in seeing would be totally welcome.
>
> Thanks!
>
> -mike
>

Received on Wednesday, 30 March 2016 14:40:40 UTC