Note for Standardizing Security Semantics of Cross-Site Cookies #653
Comments
|
Thanks! Let's treat this as a CfC to publish this document as a draft note, get a round of feedback or two and aim to call it done by TPAC? Next meeting is on the 17th. I think we can formalize publication at that point. |
|
Actually, I'm now wondering whether this would be a good fit for the new SWAG group that's spinning up: https://www.w3.org/community/swag/. WDYT about the WG NOTE vs CG Report dichotomy for something like this, @simoneonofri? Same question could apply to https://www.w3.org/TR/post-spectre-webdev/, I think. |
|
My gut feeling is that while the notes seem similar to some extent (trying to unpack complex web platform behaviors related to the process model and cookies respectively), they're meant for fairly different audiences. The post-Spectre note is primarily geared towards web developers and tells them how to apply isolation protections for their services, whereas the cookie note is meant primarily for implementers / browser vendors to discuss the security trade-offs of different cookie-related behaviors. I.e. it's not particularly actionable for web developers as-is (but arguably useful to get some cross-vendor alignment in this space). So I think WebAppSec might be a slightly better place for the cookie note conceptually, but I'm not at all opposed to SWAG if others have a preference for it. |
|
Hello all, given that when we presented this work at TPAC 2024 and the reaction was positive, I think it makes sense to move the draft note hosted at https://dcthetall.github.io/webappsec-standardizing-security-semantics-of-cross-site-cookies/ to the W3C org. @simoneonofri would you be able to help us with that? Thank you :) |
|
hi @DCtheTall, from the GitHub side, if you can give me the permissions as the repository owner, I can transfer it (procedure here https://w3c.github.io/repo-transfer.html), and configure the w3c.json to link to the group |
|
Thanks Simone, I invited you to be a collaborator and will give you write permissions. EDIT: @simoneonofri turns out collaborators cannot transfer repositories. I just requested to transfer the repo to you. |
|
@DCtheTall, thanks. I transferred the repository to w3c orga; now it is here: https://github.com/w3c/webappsec-standardizing-security-semantics-of-cross-site-cookies |
|
Thanks, @simoneonofri |
Hey WebAppSec,
Last year we discussed an effort to standardize differences we noticed between browsers' third-party cookie blocking mechanisms. We also discussed standardizing behavior for certain edge use cases for
SameSite=Nonecookies.@arturjanc and I have published a draft note I am hosting we would like to publish as a WebAppSec note.
Thanks all in advance for your feedback!
The text was updated successfully, but these errors were encountered: