`SameSite=Lax` by default.

[mikewest]

Guten TAG,

I'm requesting a TAG review of:

• Name: Incrementally Better Cookies
• Specification URL: https://mikewest.github.io/cookie-incrementalism/draft-west-cookie-incrementalism.html
• Explainer, Requirements Doc, or Example code: The spec is fairly short, and (I hope!) readably explanatory.
• Tests: We'll be adding some .tentative WPT shortly.
• Primary contacts: @mikewest, @morlovich

Further details (optional):

TL;DR: We're proposing treating cookies as SameSite=Lax by defaul. Developers would be able to opt-into the status quo by explicitly asserting SameSite=None, but to do so, they'll also need to ensure that their cookies won't be delivered over non-secure transport by asserting the Secure attribute. The specification (paginated) spells out the proposal in a bit more detail.

• Relevant time constraints or deadlines: We'd like to begin experimenting with this behavior in the relatively near future, but we're not planning on shipping it tomorrow.
• I am more or less familiar with the Self-Review Questionnare on Security and Privacy. My assessment is that this is a privacy-positive change, as it entails a strict reduction in cookies going over the wire in plaintext, and that it will be a pretty substantial mitigation against CSRF, etc.
• I have reviewed the TAG's API Design Principles

We'd prefer the TAG provide feedback as (please select one):

• open issues in our GitHub repo for each point of feedback
• open a single issue in our GitHub repo for the entire review
• leave review feedback as a comment in this issue and @-notify [github usernames]

Thanks!

[hober]

Assigning @dbaron and myself because I'd like each of us to talk to colleagues on our teams with the relevant domain expertise.

[kenchris]

Gecko: Intent to implement: Cookie SameSite=lax by default and SameSite=none only if secure

https://groups.google.com/forum/#!msg/mozilla.dev.platform/nx2uP0CzA9k/BNVPWDHsAQAJ