Samesite cookies can be set when not in same site context
Reported by
a...@microsoft.com,
Apr 26 2018
|
||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17654 Steps to reproduce the problem: A page should not be able to set a samesite cookie when not in a samesite context. For instance, a top-level a.com has an iframe to b.com and b.com tries to set a cookie with the samesite attribute. Please see the GitHub issue here: https://github.com/httpwg/http-extensions/issues/594 There is a corresponding Firefox bug here: https://github.com/httpwg/http-extensions/issues/594 What is the expected behavior? What went wrong? A page is able to set a samesite cookie when not in a samesite context. Did this work before? No Does this work in other browsers? N/A Chrome version: 64.0.3282.140 Channel: stable OS Version: 10.0 Flash Version:
,
Apr 27 2018
I'm not sure whether this can be fixed in the browser process or needs more information from Blink. Sending to Blink>Loader for further triage.
,
May 9 2018
Mike, can you triage this issue? I think you are the best to discuss same site cookies. I may be, but on leave for a while.
,
Aug 3
This bug has an owner, thus, it's been triaged. Changing status to "assigned".
,
Oct 4
(Unassigning myself, marking untriaged in preparation to retriage with folks who will do a better job taking care of cookies than I've been able to)
,
Oct 11
Removing "Blink>Loader" as this issue is on the radar of Hotlist-Cookies. |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by krajshree@chromium.org
, Apr 27 2018