Spec says we send SameSite=Strict cookies #609

cbiesinger · 2024-05-30T17:42:12Z

The last paragraph of https://fedidcg.github.io/FedCM/#browser-api says:

For fetches that are sent with cookies, unpartitioned cookies are included, as if the resource was loaded as a same-origin request, e.g. regardless of the SameSite value (which is used when a resource loaded as a third-party, not first-party).

This no longer matches the CG consensus or the implementation; we only allow SameSite=None cookies. (#587 might change it to also allow Lax, but either way, the spec is incorrect)

wseltzer · 2025-04-11T17:46:26Z

Discussed at 11 April meeting notes.

cbiesinger · 2025-04-15T21:37:03Z

This was actually fixed by @npm1 in a895902. The sentence now says:

When fetches are sent with cookies, unpartitioned SameSite=None cookies are included. It doesn’t introduce security issues on the API even when third-party cookies are otherwise disabled because the RP cannot inspect the results from the fetches on its own (i.e., the browser mediates what the RP can receive).

samuelgoto added the chrome label Aug 1, 2024

npm1 mentioned this issue Aug 1, 2024

Mention SameSite cookies in accounts fetch #550

Merged

wseltzer added the FPWD label Aug 6, 2024

cbiesinger closed this as completed Apr 15, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Spec says we send SameSite=Strict cookies #609

Spec says we send SameSite=Strict cookies #609

cbiesinger commented May 30, 2024

wseltzer commented Apr 11, 2025 •

edited

Loading

Uh oh!

cbiesinger commented Apr 15, 2025

Uh oh!

Spec says we send SameSite=Strict cookies #609

Spec says we send SameSite=Strict cookies #609

Comments

cbiesinger commented May 30, 2024

wseltzer commented Apr 11, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

cbiesinger commented Apr 15, 2025

Uh oh!

wseltzer commented Apr 11, 2025 •

edited

Loading