The piece of documentation I want most for the modern web is something that explains to me what variants of a "set-cookie:" header work in which modern browsers under which conditions
-
Simon Willisonreplied to Simon Willison last edited by
A few years ago I put a bunch of work into figuring out the SameSite cookie attribute because the documentation for how that actually worked was so thin on the ground https://simonwillison.net/2021/Aug/3/samesite/
-
Jeffrey Yasskinreplied to Simon Willison last edited by
@simon There's some work going on at https://johannhof.github.io/draft-annevk-johannhof-httpbis-cookies/draft-annevk-johannhof-httpbis-cookies.html to specify this. Does that draft at least improve the situation? I believe they're accepting complaints and suggestions.
-
Simon Willisonreplied to Jeffrey Yasskin last edited by
@jyasskin that looks great! The thing that's missing is exact documentation as to which version of which browsers implement which policies - three years ago I was having trouble figuring out which browsers had actually implemented SameSite=lax by default, the situation on that is no better today!
-
Jeffrey Yasskinreplied to Simon Willison last edited by
@simon I think https://caniuse.com/mdn-http_headers_set-cookie_samesite_lax_default answers that question? I haven't checked that it's correct, but generally it'd be nice for `caniuse` to answer questions about how completely each browser implements consensus and proposed standards.
-
Simon Willisonreplied to Jeffrey Yasskin last edited by
@jyasskin sadly that doesn’t cover the deeper issue of what happens if you send set-cookie without a SameSite attribute at all - or weird undocumented edge-cases like what changes if a Safari user turns on “Prevent Cross-Site Tracking”
-
@simon Well, a very stupid summary with some elements of wrong.
1st party cookies with controlled subdomain and permissions will be fine.
The rest, notably 3rd party cookies are going to be very difficult (especially for FF and Safari since Chrome has kinda given up). -
@Melaskia I’ll be honest: I don’t even completely understand what the term “third party cookie” means at the level of sending set-cookie headers!
-
Simon Willisonreplied to Simon Willison last edited by
I just read the FAQ for Firefox "Total Cookie Protection" and I am sadly no closer to understanding what impact Total Cookie Protection has on how I should build web applications - I'm particularly interested in understanding how it impacts things like OAuth SSO https://support.mozilla.org/en-US/kb/total-cookie-protection-and-website-breakage-faq
-
@simon OAuth doesn't use third-party cookies so I believe it's all good. The problem is with SSO systems which use third-party cookies to transparently log you in across several domains.
-
@russss aaah gotcha - that’s the thing that caused the Chrome team to implement their weird 2-minute twist https://simonwillison.net/2021/Aug/3/samesite/#chrome-2-minute-twist