Steven Bingler

@mnot That seems like a good idea, IETF 114 has [only allocated 10 minutes](https://datatracker.ietf.org/meeting/114/materials/agenda-114-httpbis-01) for cookie related discussion so this'll probably need to be a breakout session. Unless you're referring...

Just adding my support (and couple tags) for this proposal, I like the idea of putting pieces in the layers they belong. I'd like to spend more time on this...

Hello and sorry for my late response. Our (Chrome's) metrics continue to show around 1% of page loads containing 1 or more cookies that would be blocked by this enforcement....

Right, we already differentiate between explicitly Lax (`Set-Cookie: a=b; SameSite=Lax`) and unspecified (`Set-Cookie: a=b`) when it comes to the 2 min Lax+POST mitigation. Only the unspecified cookies qualify for that...

@mozfreddyb I think https://crbug.com/1221316#c16 has what you want. Those numbers are from roughly a week ago. tl;dr Between 80-90% of cookies are unspecified/default lax. Cookies that are being newly written...

Hi John, You bring up some good points. I'm curious if the CFNetwork folks had anything to add.

> Could you help clarify more about "2 min Lax+POST mitigation"? https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis/#section-5.4.7.2 is the spec language around the behavior. As a quick refresher: the goal is to allow unsafe http...

Hi Thank you for your (well researched) issue. As you've found out, nameless cookies are quite the footgun. > These changes seem to be incompatible with the Set-Cookie BNF syntax...

> I'm not sure whether it's worth keeping around the existing grammar in section 4.4.1, but in this initial work I have not attempted to remove it. 4.4.1 defines the...

This was discussed during the Sept 2021 Interim meeting. The decision that, while this is important, it's a lot of work and 6265bis shouldn't block on it. https://github.com/httpwg/wg-materials/blob/gh-pages/interim-21-09/minutes.md#issue-1073---utf-8-characters