Hello TAG!

I'm requesting a TAG review of Schemeful Same-Site.

The SameSite cookie attribute is designed to defend against CSRF attacks but currently does not take the scheme of the site into account. This was originally to assist sites during their transition to https, however it results in the secure and insecure versions of the same host being considered same-site. A network attacker could thus impersonate http://site.example and use it to bypass SameSite protections on https://site.example. Between this security flaw and HTTPS usage markedly increasing, we believe it is time to change this definition.

Modify SameSite’s implementation in the user agent to consider origins with different schemes as cross-site. Thus https://site.example and http://site.example would now be considered cross-site.

• Explainer : https://github.com/sbingler/schemeful-same-site
• Spec: https://mikewest.github.io/cookie-incrementalism/draft-west-cookie-incrementalism.html#rfc.section.3.3
• Security and Privacy self-review: I'm not sure this applies, please correct me if I'm wrong, as this proposal doesn't expose anything new.
• Primary contacts (and their relationship to the specification):
  • Steven Bingler (@sbingler, Google)
• Organization/project driving the design: Google
• External status/issue trackers for this feature: https://www.chromestatus.com/features/5096179480133632

Further details:

• I have reviewed the TAG's API Design Principles
• The group where the incubation/design work on this is being done (or is intended to be done in the future): IETF
• The group where standardization of this work is intended to be done ("unknown" if not known): IETF
• Existing major pieces of multi-stakeholder review or discussion of this design: None
• Major unresolved issues with or opposition to this design: N/A, unknown
• This work is being funded by: Google

We'd prefer the TAG provide feedback as (please delete all but the desired option):

💬 leave review feedback as a comment in this issue and @-notify @sbingler