Re: [webkit-dev] Same-Site cookies by default

2020-03-07 Thread Maciej Stachowiak
> On Mar 6, 2020, at 6:58 PM, Patrick Griffis wrote: > > On 2020-03-06 6:51 pm, John Wilander wrote: >> Hi Patrick! >> >> Thanks for bringing this up. I’ll share my view of where we are. >> >> First of all, cookies mostly live in the http layer so the various >> WebKit ports would have to

Re: [webkit-dev] Same-Site cookies by default

2020-03-06 Thread John Wilander
> On Mar 6, 2020, at 6:59 PM, Patrick Griffis wrote: > > On 2020-03-06 6:51 pm, John Wilander wrote: >> Hi Patrick! >> >> Thanks for bringing this up. I’ll share my view of where we are. >> >> First of all, cookies mostly live in the http layer so the various >> WebKit ports would have to

Re: [webkit-dev] Same-Site cookies by default

2020-03-06 Thread Patrick Griffis
On 2020-03-06 6:51 pm, John Wilander wrote: > Hi Patrick! > > Thanks for bringing this up. I’ll share my view of where we are. > > First of all, cookies mostly live in the http layer so the various > WebKit ports would have to work this out independently to some extent. > Maybe libcurl and

Re: [webkit-dev] Same-Site cookies by default

2020-03-06 Thread John Wilander
Hi Patrick! Thanks for bringing this up. I’ll share my view of where we are. First of all, cookies mostly live in the http layer so the various WebKit ports would have to work this out independently to some extent. Maybe libcurl and libsoup have readily available APIs for this? Second, we

Re: [webkit-dev] Same-Site cookies by default

2020-03-06 Thread Maciej Stachowiak
Current WebKit trunk blocks all third party cookies (with ITP enabled), which is a more extreme version of the same thing. We’re currently testing the compatibility fallout. Treating cookies as SameSite=Lax by default is moot when third-party cookies are blocked, as the SameSite=None behavior

[webkit-dev] Same-Site cookies by default

2020-03-06 Thread Patrick Griffis
Chromium has had the idea to treat all cookies as SameSite=Lax by default as well as blocking SameSite=None over HTTP for a while now, hidden behind a flag, and seem to be rolling this out soon. The topic is discussed in detail here: