Note for Standardizing Security Semantics of Cross-Site Cookies

[DCtheTall]

Hey WebAppSec,

Last year we discussed an effort to standardize differences we noticed between browsers' third-party cookie blocking mechanisms. We also discussed standardizing behavior for certain edge use cases for SameSite=None cookies.

@arturjanc and I have published a draft note I am hosting we would like to publish as a WebAppSec note.

Thanks all in advance for your feedback!

[mikewest]

Thanks! Let's treat this as a CfC to publish this document as a draft note, get a round of feedback or two and aim to call it done by TPAC? Next meeting is on the 17th. I think we can formalize publication at that point.

/cc @dveditz @simoneonofri

[mikewest]

Actually, I'm now wondering whether this would be a good fit for the new SWAG group that's spinning up: https://www.w3.org/community/swag/. WDYT about the WG NOTE vs CG Report dichotomy for something like this, @simoneonofri?

Same question could apply to https://www.w3.org/TR/post-spectre-webdev/, I think.

[simoneonofri]

hi @mikewest thank you for the pointer, talking with @torgo about that

[arturjanc]

My gut feeling is that while the notes seem similar to some extent (trying to unpack complex web platform behaviors related to the process model and cookies respectively), they're meant for fairly different audiences. The post-Spectre note is primarily geared towards web developers and tells them how to apply isolation protections for their services, whereas the cookie note is meant primarily for implementers / browser vendors to discuss the security trade-offs of different cookie-related behaviors. I.e. it's not particularly actionable for web developers as-is (but arguably useful to get some cross-vendor alignment in this space).

So I think WebAppSec might be a slightly better place for the cookie note conceptually, but I'm not at all opposed to SWAG if others have a preference for it.