John Wilander

Not that I like the proliferation of cookies, but can’t you set both SameSite and non-SameSite cookies and then make the decision server-side what to allow in the framed and...

In Safari’s implementation of the Storage Access API you need user interaction in the frame per page. New page with CSRF attack => no cookies. Different iframe with CSRF attack...

Do you mean the case where your iframe successfully gets storage access and then a CSRF attack happens from the same iframe? Or the CSRF attack calls the Storage Access...

These kind of discussions should take obsoletion of third-party cookies into account. We don’t know details of Chrome’s plans but we know the plan is to obsolete them by January...

I'm circulating this with some coworkers at Apple to gather input.

Hi! John from Apple WebKit here. If we standardize different behavior for default vs explicit SameSite=lax … 1. We increase the complexity of SameSite cookies significantly. Is that desirable? 2....

Looking at the linked GitHub doc, it seems this is no longer schemeful cookies but origin-bound cookies. True? If so, please change the title.

We now have SameSite cookies to consider too. Perhaps we should have a strict ordering of priority for these attributes and combinations of them?

Yes, this seems to have been one of the main drivers for a new version of the spec. Since this issue was opened just a month ago, I assume no...

WebKit's proposal Private Click Measurement solves or intends to solve the above issues by: - Sending attribution reports to the click source (publisher in the above discussion) and the advertiser....