Skip to content

Allowing SameSite=None Cookies in First-Party Sandboxed Contexts #450

New issue
Jump to bottom
New issue
Jump to bottom
Open
Open
Allowing SameSite=None Cookies in First-Party Sandboxed Contexts#450
@aamuley

Description

@aamuley
aamuley
opened on Jan 16, 2025

WebKittens

@annevk

Title of the proposal

Allowing SameSite=None Cookies in First-Party Sandboxed Contexts

URL to the spec

whatwg/html#10915

URL to the spec's repository

https://github.com/whatwg/html

Issue Tracker URL

No response

Explainer URL

https://github.com/explainers-by-googlers/csp-sandbox-allow-same-site-none-cookies

TAG Design Review URL

w3ctag/design-reviews#1004

Mozilla standards-positions issue URL

mozilla/standards-positions#1165

WebKit Bugzilla URL

No response

Radar URL

No response

Description

When third-party cookies (3PC) are blocked by Chrome and Firefox, contexts with the Content-Security-Policy: sandbox header or <iframe> sandbox attribute are no longer able to use SameSite=None cookies. The frame must include the allow-same-origin value to use cookies, which relaxes many security protections including the opaque origin.

We want to restore existing behavior and enable a frame to signal the browser to include SameSite=None cookies in first-party requests from sandboxed frames when 3PC restrictions are active with the allow-same-site-none-cookies value

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions