SameSite cookie handling

[ygupta81]

Description

Today there are multiple differences across browsers in how SameSite cookies are handled.

1. Google’s Chrome and Microsoft’s Edge defaults to SameSite=Lax while Mozilla’s Firefox and Apple’s Safari do not - https://web.dev/samesite-cookies-explained/#samesite=lax-by-default
2. Google’s Chrome and Microsoft’s Edge require secure context for SameSite=None while Mozilla’s Firefox enable this behind a preference and Apple’s Safari currently has no support - https://web.dev/samesite-cookies-explained/#samesite=none-must-be-secure

Rationale

These incompatibilities make life of web developers difficult with respect to following:-

1. Developers often have to resort to detecting which browsers are SameSite incompatible. Based on that detection, different solutions are put in which make application maintenance difficult
2. Detection mechanism itself is difficult to maintain as browsers are updated
3. These incompatibilities also make security standards across the browsers inconsistent making a particular website less secure on one browser than the other.

Specification

• https://datatracker.ietf.org/doc/html/draft-west-first-party-cookies-07#section-4.1

Tests

• https://wpt.fyi/results/cookies/samesite/setcookie-lax.https.html?label=stable&label=master&aligned&view=subtest
• https://wpt.fyi/results/cookies/samesite-none-secure?label=master&label=stable&aligned&view=subtest

[foolip]

@ygupta81 thanks for submitting a proposal for Interop 2023!

One of the specification links are broken, looks like a mishap and there should only be one link, but can you confirm?

cc @mikewest as the editor of the spec.

[ygupta81]

@ygupta81 thanks for submitting a proposal for Interop 2023!

One of the specification links are broken, looks like a mishap and there should only be one link, but can you confirm?

cc @mikewest as the editor of the spec.

You are correct, just fixed!

[gsnedders]

https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-5.4.7 is the current specification, AFAIK.

[nairnandu]

Thank you for proposing SameSite cookie handling for inclusion in Interop 2023.

We wanted to let you know that this proposal was not selected to be part of Interop this year. There are still unresolved issues around SameSite cookie handling, and particularly the correct default behavior. We would welcome this proposal being resubmitted for a future round of Interop once these differences are resolved.

For an overview of our process, see the proposal selection summary. Thank you again for contributing to Interop 2023!

Posted on behalf of the Interop team.