-
Notifications
You must be signed in to change notification settings - Fork 35
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Should include sameSite cookie attribute in write interface #36
Comments
What do you think, @mikewest ? Is this a reasonable interface for this feature? |
@domenic - any advice on how to handle the maybe-tristate value in WebIDL? Is nullability with two enum values better, or is three enum values better? Is null-as-explicit-default a reasonable way to write that case? |
X-Ref: js-cookie/js-cookie#264 |
Just enum is better than nullable enum. Use undefined to get the default and let null keep its default behavior (probably ends up throwing). |
As @annevk says. Although I think it'd be cool to change the default to |
I was concerned that defaulting to same site 'strict' would break On Fri, Sep 9, 2016, 08:45 Domenic Denicola notifications@github.com
|
I mean, it wouldn't break existing pages, and new pages that use this would notice the breakage and use another enum value. But maybe it would cause too much hair-pulling during that process. Would be curious to hear what others think. |
I suppose another possibility would be to bifurcate set into setCrossSiteCookie and setSameSiteCookie which would make the choice conscious and explicit for every single call site. What do you think? There whould still be a parameter to get the intermediate 'lax' behavior in setSameSiteCookie, though - perhaps a Boolean sameSiteLax: true or sameSiteStrict: false for the more-permissive behavior. |
Meh, that doesn't seem like much of an improvement to me due to complicating all call sites. |
What if it were set/setShared instead? On Sep 9, 2016 11:18, "Domenic Denicola" notifications@github.com wrote:
|
Why is that better than |
Actually I like your proposal better :) Also, I think making shared: 'strict' (ditto for 'lax') the default is really problematic because when the script is running in a shared context it won't be able to read the cookies it writes, by default |
Hmm, what is a shared context and when would script be running in it? |
I refer to cross-site IFRAME documents, as described in https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00#section-2.1.1 If I follow the description correctly, scripts running in cross-site IFRAME contexts won't be able to see SameSite cookies at all. |
Assuming my understanding of that is correct, I guess we could potentially default to SameSite 'strict' or SameSite 'lax' when the document and all ancestors (assuming any exist) are in the same registrable domain, and otherwise default to a non-SameSite cookie. However this may be exposing new information to scripts (whether they and all parents are in the same registrable domain) which AFAIK they cannot determine today without cross-origin document.domain collusion |
Also, it's unclear to me whether script running in a top-level document which is itself the result of a top-level navigation should be able to see SameSite 'strict' cookies. |
Further complications:
I suppose a simple way to handle all of this would be to provide separate interest registration methods for each view (for ServiceWorker monitoring) and separate CookieStore instances for each view |
@metromoxie @mikewest can you clarify a few points about SameSite cookies?
|
@mkruisselbrink any opinions on how this interacts with Fetch and Foreign-Fetch interception? Ditto with Link: ... rel=serviceworker, should that cause the resulting ServiceWorker to run in a non-SameSite mode? |
I don't think that how a service worker was originally installed should influence how future fetches made by that service worker are done, that just seems confusing. Not sure how any of the same site cookie stuff is supposed to interact with service workers. For foreign fetch possibly just treating any fetches the SW makes as not associated with any particular document makes the most sense (as just fetch(event.request) in a foreign fetch handler is already going to result in different behavior compared to the foreign fetch worker not existing, as it turns a cross origin fetch into a same origin fetch). |
For that matter it's not clear to me how same-site cookies should interact with scripts and script-initiated requests generally. Are script-initiated same-origin fetches inside non-samesite IFRAMEs explicit enough that it's safe to imbue them with full samesite ambient authority? |
Picking up the discussion here again -- I think Async Cookies needs to support setting the SameSite attribute, for feature parity with I'd like to have How about Alternatives for the third value, with reasons why I think they're worse.
Renaming the attribute to @annevk @domenic @inexorabletash Thoughts? |
|
@annevk To clarify -- do you mean that |
Yes, though I think |
Drive-by thought: |
The 'SameSite' cookie attribute (draft: https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00 ) has received some public exposure, e.g. http://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/
The attribute is live in Chrome: https://www.chromestatus.com/feature/4672634709082112
It is being tracked for possible inclusion in Firefox too: https://bugzilla.mozilla.org/show_bug.cgi?id=795346
The possible values for this attribute in WebIDL should probably be a nullable three-valued enumeration:
The text was updated successfully, but these errors were encountered: