Closed DCtheTall closed 2 years ago
In our use case there is a requirement to share data via cookie between example.com and subdomain.example.com. We are open to suggestions if there is a proposed solution under paradigm of restricting third party cookies.
Is this a different spelling for #30?
Is this a different spelling for #30?
@martinthomson #30 was plainly about removing the Host- prefix naming requirement; but did not raise concerns with the hostname-boundedness requirement itself. It is resolved by removing the Host- prefix requirement, but keeping the "no `Domain' attribute" requirement; which essentially still enforces hostname-boundedness.
This issue is asking whether the "no Domain
" requirement should also be removed (in addition to the __Host-prefix requirement); and therefore challenges hostname-boundedness itself.
Closing this now that #46 has landed and Chrome is no longer enforcing the no-Domain requirement.
We have received feedback from site authors who have been participating in the CHIPS origin trial that the no-Domain attribute requirement is making CHIPS more difficult to adopt.
The purpose of the no-Domain attribute requirement is that it ensures partitioned cookies are keyed on the hostname of the request URL and not sent across subdomains, which provides security benefits. For example, the no-Domain requirement would prevent example.com from sharing its partitioned cookies across shop.example.com and pay.example.com. The goal of this requirement is to guarantee that sites do not receive cross-site cookies from malicious/compromised subdomains, and mitigates against using Domain cookies as a channel to leak data across subdomains (at least in cross-site contexts where partitioned cookies are used).
However, this would be a paradigm shift on the web that adds additional churn for sites that are already migrating off of third-party cookies. WICG/CHIPS/issues/39 describes an example of a common architecture that will need to be adapted to this new requirement.
Since the primary goal of CHIPS is to facilitate the deprecation of third-party cookies, it seems reasonable to open a conversation about whether the no-Domain requirement is necessary.