Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[WIP] RFC6265bis: "Lax-Allowing-Unsafe" applies to cross-site redirect #2351

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

sbingler
Copy link
Collaborator

This PR is a WIP while waiting on data to show us that this is the correct approach.

Until #1348, the spec mistakenly didn't define the same-site-ness to include the redirect chain. When some UAs, such as Chrome, attempted to apply the changes in #1348 they found that users complained of breakage. Bug reports hinted that this occurred during similar situations as Lax+POST, i.e.: young cookies with an unsafe method.

This changes modifies lax-allowing-unsafe to also include cookies that being blocked due a cross-site redirect with an unsafe method. It retains the suggested 2 min limit on cookie age.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

Successfully merging this pull request may close these issues.

2 participants