Allowing SameSite=None Cookies in First-Party Sandboxed Contexts

[aamuley]

Request for Mozilla Position on an Emerging Web Specification

• Specification title: Allowing SameSite=None Cookies in First-Party Sandboxed Contexts
• Specification or proposal URL (if available): Allowing SameSite=None Cookies in First-Party Sandboxed Contexts whatwg/html#10915
• Explainer URL (if available): https://github.com/explainers-by-googlers/csp-sandbox-allow-same-site-none-cookies
• Proposal author(s) (@-mention GitHub accounts): @aamuley @DCtheTall
• Caniuse.com URL (optional):
• Bugzilla URL (optional):
• Mozillians who can provide input (optional):
• WebKit standards-position: Requested Allowing SameSite=None Cookies in First-Party Sandboxed Contexts WebKit/standards-positions#450

Other information

When third-party cookies (3PC) are blocked by Chrome and Firefox, contexts with the Content-Security-Policy: sandbox header or <iframe> sandbox attribute are no longer able to use SameSite=None cookies. The frame must include the allow-same-origin value to use cookies, which relaxes many security protections including the opaque origin.

We want to restore existing behavior and enable a frame to signal the browser to include SameSite=None cookies in first-party requests from sandboxed frames when 3PC restrictions are active with the allow-same-site-none-cookies value

[tomrittervg]

cc @bvandersloot-mozilla