Security consideration: origins unable to restrict non-HTTP APIs cookie setting

[enygren]

The security issues motivating CSP Cookie Controls (https://www.w3.org/TR/csp-cookies/) still exist. We at a minimum we should list this as a security consideration. In particular, an origin is unable to restrict non-HTTP APIs from setting cookies on a host or domain. While perhaps this is a nice-to-have for hosts (APIs operating in the origin context can do lots of other things), it is a major problem unique to cookies for domains.

A multi-tenant domain (with independent origins under it) has no in-band way to prevent cookies from being set on the entire domain (ie, to restrict cookies to same-site). The only option available there is to put the domain on a public-suffix list which isn't always scale-able or operationally maintainable.

It may also be worth considering a response header that servers could send to constrain all cookies to same-site as part of this, either with "Content-Security-Policy: cookie-scope host" or as a separate response header specific to this use-case. For example, a "Restrict-Cookies" response header with tokens matching the new features of 6265bis (same-site, secure-only, none) that would constrain behaviors of non-HTTP APIs.

[michael-oneill]

What would it take to re-invigorate CSP Cookie Controls? Given the current visibility of online privacy this might be a good time to revisit it.