email-verification-protocol icon indicating copy to clipboard operation
email-verification-protocol copied to clipboard
Published 2 months ago verified publisher icon WICG

Which cookies should get sent and what are the Sec-Fetch-* headers

Open cbiesinger opened this issue 1 month ago • 1 comments

The spec currently says the browser POSTs to the issuance_endpoint of the issuer with 1P cookies

I would like to clarify what this means in practice / how the fetch request should get set up.

I think this means that the browser should treat this as a toplevel same-site fetch for the URL, i.e. Sec-Fetch-Site: none, and this implies also that SameSite=Strict cookies should get sent as well. Is that interpretation correct?

Sec-Fetch-Mode should probably (?) be same-origin

Not really sure what the expected value for Sec-Fetch-User is...

(ref: https://www.w3.org/TR/fetch-metadata/#sec-fetch-site-header)

cbiesinger avatar Nov 07 '25 18:11 cbiesinger

(note that chrome's prototype currently sends SameSite=None cookies, if a flag is enabled also Lax, but not Strict. cc @samuelgoto )

cbiesinger avatar Nov 07 '25 18:11 cbiesinger