mkwst, mind taking a look?

See  issue 617569 

Please ignore my previous comment (now deleted).

While I think the spec could be more clear, where section 4.1 starts by saying:

    If [the] "attribute-value" is not a case-sensitive match
    for "Strict" or "Lax", ignore the "cookie-av".

It does not mean ignore the cookie attribute SameSite, it's saying that the *attribute value* should be ignored, the SameSite attribute itself should still be respected; where Step 2 then goes on to say that it should default to Strict.

That said, I would still prefer every website to explicitly state the level of enforcement that they want.

I kind of like the idea of a default, and that default being the more strict option too!

It also makes the cookie a littler smaller/tidier ;-)

True, I agree that more secure defaults are a good thing.

But when you are setting soemething that can break navigation between websites (destination will not think you are logged in), then I'd rather the developers be explicit :-)

Test page: https://bayden.com/test/cookie/BareSameSiteCookie.aspx

I filed https://github.com/httpwg/http-extensions/issues/389 on the ambiguity in the spec. I don't think Chrome matches any reasonable interpretation of the latest spec; at worst we should ignore the SameSite attribute, but not fail to set the cookie.

bool ParsedCookie::IsValid() const {
  return !pairs_.empty() && IsSameSiteAttributeValid();  <-- This seems wrong.
}

bool ParsedCookie::IsSameSiteAttributeValid() const {
  return same_site_index_ == 0 || SameSite() != CookieSameSite::DEFAULT_MODE;
}

https://chromium-review.googlesource.com/c/chromium/src/+/648221

Hrmph. It looks like the https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00 draft is outdated vs. https://github.com/httpwg/http-extensions/edit/master/draft-ietf-httpbis-cookie-same-site.md. The latter no longer allows a bare "SameSite" token, and it calls for the cookie to be dropped in the event that the samesite-value isn't either "strict" or "lax".

That would imply this bug should be "Won't Fixed".

The specification has changed[1], and now says that the attribute should be ignored rather than ignoring the cookie.

The CL in #8 treats a missing/invalid attribute as "strict" which doesn't match the new version of the spec.

[1] https://github.com/httpwg/http-extensions/commit/c303325cd14b3fbbda85b22f2bdee622d922c5be

https://chromium-review.googlesource.com/c/chromium/src/+/1007866

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5fbb75e93162093522879e707a13295b7452ef06

commit 5fbb75e93162093522879e707a13295b7452ef06
Author: Eric Lawrence <elawrence@chromium.org>
Date: Thu Apr 12 20:39:53 2018

Update SameSite cookie handling to match specification

The SameSite cookie specification calls for ignoring the SameSite
attribute if the value is empty or unrecognized. Previously, Chrome
would refuse to create a cookie with an empty or unrecognized
SameSite attribute value.

Bug:  635882 
Test: net_unittests
Change-Id: I429058d6f97db107307f9affb99bf96f4e175a2a
Reviewed-on: https://chromium-review.googlesource.com/1007866
Commit-Queue: Eric Lawrence <elawrence@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Cr-Commit-Position: refs/heads/master@{#550344}
[modify] https://crrev.com/5fbb75e93162093522879e707a13295b7452ef06/net/cookies/canonical_cookie_unittest.cc
[modify] https://crrev.com/5fbb75e93162093522879e707a13295b7452ef06/net/cookies/cookie_constants.h
[modify] https://crrev.com/5fbb75e93162093522879e707a13295b7452ef06/net/cookies/parsed_cookie.cc
[modify] https://crrev.com/5fbb75e93162093522879e707a13295b7452ef06/net/cookies/parsed_cookie.h
[modify] https://crrev.com/5fbb75e93162093522879e707a13295b7452ef06/net/cookies/parsed_cookie_unittest.cc

Fixed in 67.0.3396.0.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5fbb75e93162093522879e707a13295b7452ef06

commit 5fbb75e93162093522879e707a13295b7452ef06
Author: Eric Lawrence <elawrence@chromium.org>
Date: Thu Apr 12 20:39:53 2018

Update SameSite cookie handling to match specification

The SameSite cookie specification calls for ignoring the SameSite
attribute if the value is empty or unrecognized. Previously, Chrome
would refuse to create a cookie with an empty or unrecognized
SameSite attribute value.

Bug:  635882 
Test: net_unittests
Change-Id: I429058d6f97db107307f9affb99bf96f4e175a2a
Reviewed-on: https://chromium-review.googlesource.com/1007866
Commit-Queue: Eric Lawrence <elawrence@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Cr-Commit-Position: refs/heads/master@{#550344}
[modify] https://crrev.com/5fbb75e93162093522879e707a13295b7452ef06/net/cookies/canonical_cookie_unittest.cc
[modify] https://crrev.com/5fbb75e93162093522879e707a13295b7452ef06/net/cookies/cookie_constants.h
[modify] https://crrev.com/5fbb75e93162093522879e707a13295b7452ef06/net/cookies/parsed_cookie.cc
[modify] https://crrev.com/5fbb75e93162093522879e707a13295b7452ef06/net/cookies/parsed_cookie.h
[modify] https://crrev.com/5fbb75e93162093522879e707a13295b7452ef06/net/cookies/parsed_cookie_unittest.cc