Allowing SameSite=None Cookies in First-Party Sandboxed Contexts

[aamuley]

Specify a new sandboxing value allow-same-site-none-cookies which would enable a frame to signal the browser to include SameSite=None cookies in first-party requests from sandboxed frames when third-party cookie (3PC) restrictions are active.

• At least two implementers are interested (and none opposed):
  • Chrome
  • …
• Tests are written and can be reviewed and commented upon at:
  *[WIP]
• Implementation bugs are filed:
  • Chromium: https://issues.chromium.org/372894175
  • Gecko: …
  • WebKit: …
  • Deno (only for timers, structured clone, base64 utils, channel messaging, module resolution, web workers, and web storage): …
  • Node.js (only for timers, structured clone, base64 utils, channel messaging, and module resolution): …
• Corresponding HTML AAM & ARIA in HTML issues & PRs:
• MDN issue is filed: …
• The top of this comment includes a clear commit message to use.

(See WHATWG Working Mode: Changes for more details.)

[annevk]

How do you determine first-party here? Does this require allow-same-origin as well?

[aamuley]

How do you determine first-party here? Does this require allow-same-origin as well?

Hey, this should actually require allow-same-origin not to be set since doing so would result in the actual origin being used and SameSite=Strict/Lax cookies also being included. We want to maintain the other security benefits of sandboxing the origin.

I think jyasskin had a similar concern in our TAG review about the possible complexity of storing the origin used to create the opaque origin and only having it be used for this calculation. We intended that the document's url would be used to compute whether the sites are first-party and if unpartitioned cookies are blocked for the request.

[annevk]

I think using the document's URL is sound, even though it doesn't feel great. Getting this properly defined will be hard though as a lot of the cookie work isn't ready yet.