[webkit-dev] Same-Site cookies by default
Maciej Stachowiak
mjs at apple.com
Fri Mar 6 18:46:32 PST 2020
Current WebKit trunk blocks all third party cookies (with ITP enabled), which is a more extreme version of the same thing. We’re currently testing the compatibility fallout.
Treating cookies as SameSite=Lax by default is moot when third-party cookies are blocked, as the SameSite=None behavior would not be permitted at all.
Chromium has been just about to roll out their change for a while now, but my understanding is that it’s still only applied to a low percentage of users.
Regards,
Maciej
> On Mar 6, 2020, at 1:07 PM, Patrick Griffis <pgriffis at igalia.com> wrote:
>
> Chromium has had the idea to treat all cookies as SameSite=Lax by
> default as well as blocking SameSite=None over HTTP for a while now,
> hidden behind a flag, and seem to be rolling this out soon.
>
> The topic is discussed in detail here:
> https://web.dev/samesite-cookies-explained/#changes-to-the-default-behavior-without-samesite
>
> I just wondered if other developers had any thoughts on this move and
> if/when WebKit should follow. The downside is of course compatibility
> but the upside is improved privacy.
> _______________________________________________
> webkit-dev mailing list
> webkit-dev at lists.webkit.org
> https://lists.webkit.org/mailman/listinfo/webkit-dev
More information about the webkit-dev
mailing list