Skip to content

Commit a895902

Browse files
npm1TallTed
npm1
and
TallTed
authored
Mention SameSite cookies in accounts fetch (#550)
* Mention SameSite cookies in accounts fetch This PR adds a mention to which cookies ought to be sent in the accounts fetch. Once cookie layering work is done, we can remove this note and properly specify it. * feedback * Update index.bs * Apply suggestions from code review Co-authored-by: Ted Thibodeau Jr --------- Co-authored-by: Ted Thibodeau Jr 
1 parent aa3ea63 commit a895902

File tree

1 file changed

+8
-7
lines changed

1 file changed

+8
-7
lines changed

spec/index.bs

Lines changed: 8 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -330,13 +330,11 @@ const credential = await navigator.credentials.get({
330330
```
331331
332332

333-
For fetches that are sent with cookies, unpartitioned cookies are included,
334-
as if the resource was loaded as a same-origin request, e.g.
335-
regardless of the
336-
[SameSite](https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-samesite-attribute-2)
337-
value (which is used when a resource loaded as a third-party, not first-party). This makes it easy
338-
for an [=IDP=] to adopt the FedCM API. It doesn't introduce security issues on the API because the
339-
[=RP=] cannot inspect the results from the fetches in any way.
333+
When fetches are sent with cookies, unpartitioned
334+
[SameSite](https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-samesite-attribute-2)=None
335+
cookies are included. It doesn't introduce security issues on the API even when third-party cookies are otherwise
336+
disabled because the [=RP=] cannot inspect the results from the fetches on its own (i.e., the browser mediates what
337+
the [=RP=] can receive).
340338

341339
342340
## The connected accounts set ## {#browser-connected-accounts-set}
@@ -1165,6 +1163,9 @@ returns an {{IdentityProviderAccountList}}.
11651163
with [=request/mode=] set to "user-agent-no-cors". See the relevant
11661164
[pull request](https://github.com/whatwg/fetch/pull/1533) for details.
11671165

1166+
Note: This fetch should only send Same-Site=None cookies. Specifying this will require
1167+
[cookie layering](https://github.com/httpwg/http-extensions/issues/2084).
1168+
11681169
1. Let |accountsList| be null.
11691170
1. [=Fetch request=] with |request| and |globalObject|, and with processResponseConsumeBody
11701171
set to the following steps given a response |response| and |responseBody|:

0 commit comments

Comments
 (0)