Having read the proposal, I think it's a good mechanism for us to know about websites that want third-party cookies and it seems less costly to deploy for websites than Storage Access API.
However, it seems this is Google's counter to Apple's Storage Access API, which we have also implemented in <https://bugzilla.mozilla.org/show_bug.cgi?id=1469714>. What's our plan here? Offer both and find out what's going to get more traction? Am 23.05.19 um 10:33 schrieb Andrea Marchesini: > Link to the proposal: > https://tools.ietf.org/html/draft-west-cookie-incrementalism-00 > > Summary: > "1. Treat the lack of an explicit "SameSite" attribute as > "SameSite=Lax". That is, the "Set-Cookie" value "key=value" will > produce a cookie equivalent to "key=value; SameSite=Lax". > Cookies that require cross-site delivery can explicitly opt-into > such behavior by asserting "SameSite=None" when creating a > cookie. > 2. Require the "Secure" attribute to be set for any cookie which > asserts "SameSite=None" (similar conceptually to the behavior for > the "__Secure-" prefix). That is, the "Set-Cookie" value > "key=value; SameSite=None; Secure" will be accepted, while > "key=value; SameSite=None" will be rejected." > > Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1551798 > > Platform coverage: all > > Estimated or target release: 69 - behind pref > > Preferences behind which this will be implemented: > - network.cookie.sameSite.laxByDefault > - network.cookie.sameSite.noneRequiresSecure (this requires the previous > one to be set to true) > > Is this feature enabled by default in sandboxed iframes? yes. > > Do other browser engines implement this? > - Chrome is implementing/experimenting this feature: > https://blog.chromium.org/2019/05/improving-privacy-and-security-on-web.html > - Safari: no signal yet. > > web-platform-tests: There is a pull-request > https://github.com/web-platform-tests/wpt/pull/16957 > Implementing this feature, I added a mochitest to inspect cookies via > CookieManager. > > Is this feature restricted to secure contexts? no > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
