Gregory's Server@simon There's some work going on at https://johannhof.github.io/draft-annevk-johannhof-httpbis-cookies/draft-annevk-johannhof-httpbis-cookies.html to specify this. Does that draft at least improve the situation? I believe they're accepting complaints and suggestions.
|
4 comments
@simon I think https://caniuse.com/mdn-http_headers_set-cookie_samesite_lax_default answers that question? I haven't checked that it's correct, but generally it'd be nice for `caniuse` to answer questions about how completely each browser implements consensus and proposed standards.  @jyasskin sadly that doesn’t cover the deeper issue of what happens if you send set-cookie without a SameSite attribute at all - or weird undocumented edge-cases like what changes if a Safari user turns on “Prevent Cross-Site Tracking” |
@jyasskin that looks great! The thing that's missing is exact documentation as to which version of which browsers implement which policies - three years ago I was having trouble figuring out which browsers had actually implemented SameSite=lax by default, the situation on that is no better today!