Design Review #373

#373: `SameSite=Lax` by default.

Opened May 8, 2019

Guten TAG,

I'm requesting a TAG review of:

Name: Incrementally Better Cookies
Specification URL: https://mikewest.github.io/cookie-incrementalism/draft-west-cookie-incrementalism.html
Explainer, Requirements Doc, or Example code: The spec is fairly short, and (I hope!) readably explanatory.
Tests: We'll be adding some .tentative WPT shortly.
Primary contacts: @mikewest, @morlovich

Further details (optional):

TL;DR: We're proposing treating cookies as SameSite=Lax by defaul. Developers would be able to opt-into the status quo by explicitly asserting SameSite=None, but to do so, they'll also need to ensure that their cookies won't be delivered over non-secure transport by asserting the Secure attribute. The specification (paginated) spells out the proposal in a bit more detail.

Relevant time constraints or deadlines: We'd like to begin experimenting with this behavior in the relatively near future, but we're not planning on shipping it tomorrow.
I am more or less familiar with the Self-Review Questionnare on Security and Privacy. My assessment is that this is a privacy-positive change, as it entails a strict reduction in cookies going over the wire in plaintext, and that it will be a pretty substantial mitigation against CSRF, etc.
I have reviewed the TAG's API Design Principles

We'd prefer the TAG provide feedback as (please select one):

open issues in our GitHub repo for each point of feedback
open a single issue in our GitHub repo for the entire review
leave review feedback as a comment in this issue and @-notify [github usernames]

Thanks!

Discussions

Comment by @hober May 22, 2019 (See Github)

Assigning @dbaron and myself because I'd like each of us to talk to colleagues on our teams with the relevant domain expertise.

Comment by @kenchris May 23, 2019 (See Github)

Gecko: Intent to implement: Cookie SameSite=lax by default and SameSite=none only if secure

https://groups.google.com/forum/#!msg/mozilla.dev.platform/nx2uP0CzA9k/BNVPWDHsAQAJ

Comment by @RByers Jun 10, 2019 (See Github)

Blink: Intent to implement an ship: Cookies with SameSite by default

Note that SameSite=None is currently treated as Strict in iOS / MacOS. I have argued that I don't think we can reasonably ship this in blink as a result (don't want to force developers to rely on UA sniffing). If the CFNetwork fix (rdar://problem/42290578) got back-ported to iOS 12 then that would probably address my concern. Alternately, a different design using a new token (instead of SameSite) could address the adoption concern, but it seems that would probably be a real shame to stick the web with. @hober this is the issue I mentioned at the CSSWG meeting last week.

Comment by @dbaron Sep 11, 2019 (See Github)

I'm curious if @bakulf has any interesting feedback from prototyping in Gecko (I also can't tell from the bug what the state of the pref being enabled is).

Comment by @bakulf Sep 11, 2019 (See Github)

SameSite=Lax by default has been a topic of a couple of dom-security meetings. Currently, this feature is disabled by default, but we have strong interests in enabling in nightly, and maybe in release too. We asked Mark Goodwin to follow this topic, but after that, I don't know what has happened.

Comment by @chlily1 Sep 11, 2019 (See Github)

Chrome is looking at enabling this on pre-Stable channels soon. https://www.chromestatus.com/feature/5088147346030592

Comment by @hober Dec 5, 2019 (See Github)

Hi,

@dbaron, @plinss, @ylafon, and I took another look at this in our Cupertino F2F. We're satisfied with how this review has gone and the current direction of the proposal. We're going to close this issue. Thanks!