[Webkit-unassigned] [Bug 198181] Cookies with SameSite=None or SameSite=invalid treated as Strict
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Sep 10 23:54:44 PDT 2020
https://bugs.webkit.org/show_bug.cgi?id=198181
Deniss Kozlovs <deniss at codeart.lv> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |deniss at codeart.lv
--- Comment #41 from Deniss Kozlovs <deniss at codeart.lv> ---
The problem is, "None" should not be treated as "Strict" because they have opposite meanings. "Strict" means that cookie will not be transferred to third-party, and not be transferred back when returning from third-party domain.
"None" means default behavior that existed since 1997.
This now requires a dirty hack (by using regex to parse user agent) to be made when setting session parameters in the backend, because Chrome now requires SameSite=None when using cross-domain redirects back and forth (for example, making payments).
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200911/5b01acdd/attachment-0001.htm>
More information about the webkit-unassigned
mailing list