Comments (10)
@krgovind made me aware of two small additions to the above:
- @annevk suggested that there are still security ("confused deputy") concerns for Scenario 1 and 2; so we need to discuss with WebAppSec folks and make sure they're ok with that.
- For Scenario 4, John mentioned that Safari has a similar carveout for extensions
from meetings.
I think all these are super important to figure out and discuss, I just wonder if our regular meeting format can allow folks to properly deep dive into those (maybe with some preparatory coordination beforehand).
from meetings.
I figured I'd at least have some slides next time (help appreciated) to set context and obviate the need for some of the questions that we ended up with yesterday, but I'd also be happy to discuss these with a smaller group.
from meetings.
Meeting slides: https://docs.google.com/presentation/d/1OBR1mfp_EEBOQJr26tQd6LUmU8CmZOClQqVBMjSabd4/edit.
Meeting minutes: https://github.com/privacycg/meetings/blob/main/2022/telcons/05-12-minutes.md.
Follow-up issue on A1 -> B -> A2 (and SameSite=None): privacycg/storage-partitioning#31.
Related issue on keying in CHIPS: privacycg/CHIPS#40.
I think this can be closed. @johannhof @krgovind can you double check?
from meetings.
We can probably close this, but I think it might be worth tracking the larger discussion around SameSite=None and what would happen to it in a world without third party cookies (what about POST requests, do we still need "lax"?). Do you think storage-partitioning is the right place for that?
from meetings.
Yeah, let's track cookie issues that don't have a good home there for now.
I also realized we don't have a good issue there for exposing partitionedness so I'm filing that as well.
from meetings.
We met at TPAC to continue this discussion (slides, I don't think we had a scribe which is entirely my fault), here's a summary of what we ended up discussing and agreeing on:
Cookie Layering:
- We want to move forward with our plans for Cookie Layering. As we have general alignment between browser vendors on this idea we think that we should continue the discussion in the IETF HTTP WG.
- We discussed some details of how layering would work and largely agreed on the rough proposed structure, with a few caveats. Specifically, the cookie RFC / cookie store should hold the authority over decisions to set or return cookies given the information passed in by its consumers (e.g. SameSite / 3P context information). The keying of cookie entries based on rules such as partitioning should be done by HTML/Fetch based on a custom key that the store will receive.
Cross-site cookies vs. SameSite=None
- There was no opposition to allowing
SameSite=None
cookies to be written or read in an A > B > A setting. Chrome will likely adopt this behavior when blocking 3P cookies. - Similarly, there were no concerns about allowing
SameSite=None
cookies to be sent in Scenario 2 - @johnwilander noted that Safari had some custom blocking rules for cookies in cross-site navigations, though I'm not sure we were able to capture them accurately, so a written version would be nice. I think there is a general desire to better understand Safari cookie blocking rules (e.g. on navigation) and how they relate to
SameSite
. We later discussed that @annevk might be able to document this for us.
Thank you everyone for a great productive chat!
from meetings.
cc @krgovind
from meetings.
I think when SameSite=None
is used those concerns do not quite apply. At the very least, the website ought to know that in such cases it can be confused about authority and should use other tools to check for the correct authority. (At that point in the meeting we might have been talking past each other a bit, my apologies for that.)
Embracing SameSite=None
cookies as a unique special case that can enter other partitions might be okay.
from meetings.
Ok, yeah, I actually agree with that, thanks for following up!
from meetings.
Related Issues (20)
- Request for a meeting on Storage Access API HOT 7
- :)
- Request for a meeting on the differing definitions of privacy HOT 1
- Request for meeting on First-Party Sets acceptance process HOT 7
- Cross-site cookies standardization HOT 10
- Discuss acceptable use cases for site usage of CNAMEs HOT 9
- Coordinating sessions with the fedidcg at the W3C TPAC 2022 HOT 1
- SAA Developer Use Cases: Google Workspace HOT 7
- Bounce Tracking Mitigations HOT 1
- TPAC: Invasive Fingerprinting Protection HOT 1
- TPAC: state of bounce tracking
- TPAC: heuristics to allow 3P cookies HOT 1
- TPAC: Storage Access API Graduation
- TPAC: Next steps on Login Status
- TPAC: Storage Access API Future HOT 2
- TPAC: Pop-up Partitioning / Isolation HOT 2
- Request for meeting on Bounce Tracking Proposal HOT 7
- September 2020 Virtual F2F HOT 3
- Request for meeting on Standardizing Do Not Sell (GPC) HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from meetings.