-
Notifications
You must be signed in to change notification settings - Fork 139
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Setting samesite cookies when not same site context #594
Comments
I vaguely remember discussions on this, i.e. whether the whole cookie should be dropped or just the SameSite attribute. Anyone on this thread who remembers? (Part of what I remember is that Mozilla changed their mind.) |
Blocking SameSite cookie creation in cross-origin POST contexts means that an OAuth cookie that is set as a result from a POST from the auth provider site will fail. This seems undesirable. |
I think it's pretty clear that we ought to be blocking the creation of Navigations are more interesting. We send I think I could live with a world in which top-level navigations (regardless of method) are empowered to create /cc @mozmark @morlovich |
I've built a reduced repro for this scenario at https://webdbg.com/test/cookie/samesite/post.aspx . Firefox Nightly ignores the attempt to set the SameSite cookie for the cross-origin image, but permits the cookie to be set during the form post. I believe that the proposed fix (matching Firefox) unblocks the OAuth scenario regression we've found, although I do wonder about the notion that a context shouldn't be able to set cookies that it, itself, cannot read (e.g. a page can currently set |
Yeah, that does seem to be Firefox's behavior. I'm curious about how they landed on that, and how exactly they're determining whether to allow the cookie to be set. Are they just ignoring the "safe method" bit? Do nested navigations work as well? @mozmark, WDYT?
You're right about |
Ah, I'd forgotten that this was added in leave-secure-cookies-alone and further confused myself by running my test case in a Edge Spartan window (IE and old Edge never implemented that update). |
Assuming @mozmark doesn't object in the near future, I'd suggest running with the proposal to remove the "safe" method check for storage. I'll put up a PR at some point soonish. |
…gation Based on the discussion in #594, this patch aligns the specification with Firefox's status quo behavior: allowing `SameSite=*` cookies to be set from all top-level navigations, not just navigations for which `SameSite=*` cookies would also be sent.
PR in #800. |
What happens when a page tries to set a samesite cookie when we are not in a samesite context? For instance, a top-level a.com has an iframe to b.com and b.com tries to set a cookie with the samesite attribute. It sounds like we would want the cookie to not be writeable since it's not readable in that case.
cc @mikewest
The text was updated successfully, but these errors were encountered: