SameSite=Lax by default.

[mikewest]

Guten TAG,

I'm requesting a TAG review of:

• Name: Incrementally Better Cookies
• Specification URL: https://mikewest.github.io/cookie-incrementalism/draft-west-cookie-incrementalism.html
• Explainer, Requirements Doc, or Example code: The spec is fairly short, and (I hope!) readably explanatory.
• Tests: We'll be adding some .tentative WPT shortly.
• Primary contacts: @mikewest, @morlovich

Further details (optional):

TL;DR: We're proposing treating cookies as SameSite=Lax by defaul. Developers would be able to opt-into the status quo by explicitly asserting SameSite=None, but to do so, they'll also need to ensure that their cookies won't be delivered over non-secure transport by asserting the Secure attribute. The specification (paginated) spells out the proposal in a bit more detail.

• Relevant time constraints or deadlines: We'd like to begin experimenting with this behavior in the relatively near future, but we're not planning on shipping it tomorrow.
• I am more or less familiar with the Self-Review Questionnare on Security and Privacy. My assessment is that this is a privacy-positive change, as it entails a strict reduction in cookies going over the wire in plaintext, and that it will be a pretty substantial mitigation against CSRF, etc.
• I have reviewed the TAG's API Design Principles

We'd prefer the TAG provide feedback as (please select one):

• open issues in our GitHub repo for each point of feedback
• open a single issue in our GitHub repo for the entire review
• leave review feedback as a comment in this issue and @-notify [github usernames]

Thanks!

[hober]

Assigning @dbaron and myself because I'd like each of us to talk to colleagues on our teams with the relevant domain expertise.

[kenchris]

Gecko: Intent to implement: Cookie SameSite=lax by default and SameSite=none only if secure

https://groups.google.com/forum/#!msg/mozilla.dev.platform/nx2uP0CzA9k/BNVPWDHsAQAJ

[RByers]

Blink: Intent to implement an ship: Cookies with SameSite by default

Note that SameSite=None is currently treated as Strict in iOS / MacOS. I have argued that I don't think we can reasonably ship this in blink as a result (don't want to force developers to rely on UA sniffing). If the CFNetwork fix (rdar://problem/42290578) got back-ported to iOS 12 then that would probably address my concern. Alternately, a different design using a new token (instead of SameSite) could address the adoption concern, but it seems that would probably be a real shame to stick the web with. @hober this is the issue I mentioned at the CSSWG meeting last week.

[dbaron]

I'm curious if @bakulf has any interesting feedback from prototyping in Gecko (I also can't tell from the bug what the state of the pref being enabled is).

[bakulf]

SameSite=Lax by default has been a topic of a couple of dom-security meetings. Currently, this feature is disabled by default, but we have strong interests in enabling in nightly, and maybe in release too. We asked Mark Goodwin to follow this topic, but after that, I don't know what has happened.

[chlily1]

Chrome is looking at enabling this on pre-Stable channels soon. https://www.chromestatus.com/feature/5088147346030592

[hober]

Hi,

@dbaron, @plinss, @ylafon, and I took another look at this in our Cupertino F2F. We're satisfied with how this review has gone and the current direction of the proposal. We're going to close this issue. Thanks!