Email or username:

Password:

Forgot your password?
Simon's posts Post Back to profile
Top-level
Simon Willison

@jyasskin that looks great! The thing that's missing is exact documentation as to which version of which browsers implement which policies - three years ago I was having trouble figuring out which browsers had actually implemented SameSite=lax by default, the situation on that is no better today!

29 August at 19:04 | Open on fedi.simonwillison.net
3 comments
Jeffrey Yasskin

@simon I think caniuse.com/mdn-http_headers_s answers that question? I haven't checked that it's correct, but generally it'd be nice for `caniuse` to answer questions about how completely each browser implements consensus and proposed standards.

29 August at 19:13 | Open on hachyderm.io
Simon Willison

@jyasskin sadly that doesn’t cover the deeper issue of what happens if you send set-cookie without a SameSite attribute at all - or weird undocumented edge-cases like what changes if a Safari user turns on “Prevent Cross-Site Tracking”
29 August at 19:17 | Open on fedi.simonwillison.net
Jeffrey Yasskin

@simon My understanding of "Defaults to Lax" is that it's a description of what happens "if you send set-cookie without a SameSite attribute at all", but I admit that I don't know what the maintainers are actually testing when they update this entry, and I can't find any documentation that says explicitly.

+1 that user settings are much less evenly covered, although there's a field for it in the data format that's used for the Firefox setting: github.com/mdn/browser-compat-.

@simon My understanding of "Defaults to Lax" is that it's a description of what happens "if you send set-cookie without a SameSite attribute at all", but I admit that I don't know what the maintainers are actually testing when they update this entry, and I can't find any documentation that says explicitly.

29 August at 19:29 | Open on hachyderm.io
Go Up