[prev in list] [next in list] [prev in thread] [next in thread] 

List:       webkit-dev
Subject:    Re: [webkit-dev] Same-Site cookies by default
From:       John Wilander <wilander () apple ! com>
Date:       2020-03-07 2:51:26
Message-ID: 2E383269-E26F-4F93-8B78-F0A4EED5995B () apple ! com
[Download RAW message or body]

Hi Patrick!

Thanks for bringing this up. I'll share my view of where we are.

First of all, cookies mostly live in the http layer so the various WebKit ports would \
have to work this out independently to some extent. Maybe libcurl and libsoup have \
readily available APIs for this?

Second, we have communicated tentative support for SameSite=lax by default, but in \
terms of its privacy protections, WebKit is far ahead with its Intelligent Tracking \
Prevention (ITP, or Resource Load Statistics in open source). Servers that expect to \
get default third-party cookie access merely through a SameSite=none; Secure \
configuration will find that such an option does not exist under ITP. Instead, \
third-parties who need cookie access can make use of the Storage Access API which \
gives users control and transparency.

Finally, as far as I know, Chrome is still the only browser to try out SameSite=lax \
plus forced TLS for SameSite=none and they seem to be at 10% rollout at this moment. \
We'd like to hear some lessons learned from them since it may be a tough rollout, at \
least for a browser that has historically allowed all cookies in third-party contexts \
by default. Safari is among a few browsers that has not allowed that. I do not know \
what default cookie policies the other WebKit browsers have.

   Regards, John

> On Mar 6, 2020, at 1:07 PM, Patrick Griffis <pgriffis@igalia.com> wrote:
> 
> Chromium has had the idea to treat all cookies as SameSite=Lax by
> default as well as blocking SameSite=None over HTTP for a while now,
> hidden behind a flag, and seem to be rolling this out soon.
> 
> The topic is discussed in detail here:
> https://web.dev/samesite-cookies-explained/#changes-to-the-default-behavior-without-samesite
>  
> I just wondered if other developers had any thoughts on this move and
> if/when WebKit should follow. The downside is of course compatibility
> but the upside is improved privacy.
> _______________________________________________
> webkit-dev mailing list
> webkit-dev@lists.webkit.org
> https://lists.webkit.org/mailman/listinfo/webkit-dev
_______________________________________________
webkit-dev mailing list
webkit-dev@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-dev


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic