
Same-Site Cookies by Default - twapi
https://textslashplain.com/2019/09/30/same-site-cookies-by-default/
======
crgwbr
Sigh. This is going to break a lot of sites—especially the less than clearly
documented behavior of SameSite=Lax with iframe content. If I understand it
correctly, iframe’d content, even from the same domain as the parent frame,
won’t receive any cookies set to SameSite=Lax or Strict.

Does anyone no the rational for this on non-cross domain frames?

~~~
sebazzz
For same domain requests even with iframe the cookies are sent. I'm more
worried about the fact that it may break cross domain authentication, though
most authentication frameworks support passing state through the
authentication mechanism.

------
zamadatix
This will be great, I tried whitelisting 3rd party cookies for a couple of
months but it was unsustainable, this is a good step forward.

~~~
jesseschalken
What did you have to whitelist? I've had third party cookies disabled for a
few weeks and it seems to work.

------
pintxo
...

> So the Chrome folks plan to change that.

> In Chrome 80 and later, cookies will default to SameSite=Lax. This means
> that cookies will automatically be sent only in a first party context unless
> they opt-out by explicitly setting a directive of None:
    
    
        Set-Cookie: ACookieAvailableCrossSite; SameSite=None; secure; httponly
    

> This change is small in size, and huge in scope. It has huge implications
> for any site that expects its cookies to be used in a cross-origin context.

...

> The Chrome team has set an ambitious timeline which calls for turning this
> feature on-by-default for Chrome 80, slated for stable release on February
> 4th, 2020.

