On 18/07/2025 16:15, Claude Pache wrote:
> Hi,
>
Hi Claude
> 1. The RFC says: “CHIPS technology was introduced not so long ago, but still
> has “little” adoption (currently “only” available in Blink-based browsers).”
>
> It might be useful to add the following precisions, so that we are more
> confident that it has good chance not to remain a Blink-only feature:
> * As of time of writing, there is an experimental implementation in Firefox.
> * The feature has also been implemented in Safari, but has been temporarily
> disabled because of an issue known by Apple only.
>
Sure! Those are good points to clarify the introduction. Thanks!
>
> 2. All examples in the RFC are variations on `setcookie("name", "value",
> ["secure" => true, "partitioned" => true]);`, without same-site attribute.
>
> As partitioned cookies are only meaningful as third-party cookies, what is
> the behaviour when:
>
> (a) the same-site attribute is set to anything different from "None"?
> (b) the same-site attribute is omitted? (Although historically, omitting the
> same-site parameter is equivalent to setting it to "None", browser vendors
> are willing to switch the default to "Lax", and some browsers (including
> Blink-based ones) have already done the switch.)
>
> In all examples I’ve seen on the web, an explicit `samesite=None` attribute
> is added to partitioned cookies, probably for some good reason?
Yep, all examples use "samesite=None" because you need that to create a 3rd
party cookie. So including "Partitioned" without "samesite=None" is useless in
those cases.
Although if "samesite=Lax" is still the default for a particular browser, then
it won't be useless, but I believe the goal is - as you said - to switch all
browsers over to "samesite=None".
According to https://github.com/privacycg/CHIPS, the following will happen:
(a) The cookie won't be sent to a 3rd party context and "Partitioned" won't
have an effect. The cookie header is still interpreted correctly so it will
have an effect on the origin site, just not in a 3rd party context.
(b) Depends on what the default is for a particular browser.
Kind regards
Niels
