SameSite attribute handling needs to be clarified

[johannhof]

The SameSite attribute section seems like it was written at a time when only cross-site (A embeds B) Partitioned cookies were supported. Now that we support top-level / ABA Partitioned cookies we should update the section to clarify what happens when you set cookies with SameSite=Strict; Partitioned.

We should also update the spec and write WPTs :)

@bvandersloot-mozilla FYI since Mozilla is prototyping this

cc @cfredric @DCtheTall

[bvandersloot-mozilla]

Strong agreement that Strict should be permitted. I think it is clear in the explainer that we can't allow them (nor Lax) now.

[cfredric]

FWIW it looks like Chrome's implementation currently does not require SameSite=None. I'm not sure if this is consistent with the intent in the explainer, since the "may only accept" phrasing always felt ambiguous to me.

[kumarrishav]

Same confusion here as well. Here https://developers.google.com/privacy-sandbox/blog/chips-origin-trial#cookies_requirements It says: Partitioned cookies should include SameSite=None attribute as well, to allow cookies to be sent in a third-party context in browsers that don't support cookie partitioning.

No where it says, same-site NONE is must for partitioned cookie

[bvandersloot-mozilla]

That quote actually seems to support Chris actually. The SameSite=none is stated as should, not MUST (not that we are in RFC 2119 territory) and isn't in the list with the Secure requirement.

I think that doc does it well, but I think the paragraph "Partitioned cookies should include SameSite=None attribute as well, to allow cookies to be sent in a third-party context in browsers that don't support cookie partitioning." means "Partitioned cookies may need to include the SameSite=None attribute as well, if that attribute was needed before third-party cookie deprecation". But I'm no devrel expert.

"may only accept" phrasing always felt ambiguous to me. I see that as ambiguous now- I only read it the one way before.