samesite

SameSite 属性 (クッキー)

異なるサイトへのリダイレクト

[34] SafariSameSite=Lax のときであっても、 他のサイトからリダイレクトされた navigateクッキーを送信しません。

[35] Apple は何度か修正したと言っているようですが、 最近でもこの現象が続いています。 WebKitライブラリーのバージョンか何かに依存する問題なのか、 ITP第三者クッキー排除などの Apple 独自の機能が関係する不透明な仕様に基づく Apple の意図通りの動作なのか、 不透明でよくわかりません。

[36] Chrome ではそのような挙動にはなりません。

歴史

[1] SameSite: Clarify user-triggered navigation behavior. · Issue #201 · httpwg/http-extensions ( ()) https://github.com/httpwg/http-extensions/issues/201

[2] Re: SameSite=Strict cookies for a user entered URL ( (Mike West著, )) https://lists.w3.org/Archives/Public/public-webappsec/2016Jun/0048.html

[3] draft-ietf-httpbis-cookie-same-site-00 - Same-Site Cookies () https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00

[5] 'SameSite' cookie attribute - Chrome Platform Status () https://www.chromestatus.com/feature/4672634709082112

[6] SameDomain-cookies/samedomain.txt at master · mozmark/SameDomain-cookies () https://github.com/mozmark/SameDomain-cookies/blob/master/samedomain.txt

[7] 795346 – Add SameSite support for cookies () https://bugzilla.mozilla.org/show_bug.cgi?id=795346

[8] 459154 - Experiment with "SameSite" cookies. - chromium - Monorail () https://bugs.chromium.org/p/chromium/issues/detail?id=459154

[9] [6265bis] Add double-keying policy example to "Third-party cookies" section · Issue #248 · httpwg/http-extensions () https://github.com/httpwg/http-extensions/issues/248

[10] Actions required to mitigate Speculative Side-Channel Attack techniques - The Chromium Projects () https://www.chromium.org/Home/chromium-security/ssca

[11] Meltdown/Spectre  |  Web  |  Google Developers () https://developers.google.com/web/updates/2018/02/meltdown-spectre

[12] Previewing support for same-site cookies in Microsoft Edge - Microsoft Edge Dev BlogMicrosoft Edge Dev Blog () https://blogs.windows.com/msedgedev/2018/05/17/samesite-cookies-microsoft-edge-internet-explorer/

[13] 1459321 - SameSite=Strict cookies aren't sent upon page refresh () https://bugzilla.mozilla.org/show_bug.cgi?id=1459321

[4] draft-ietf-httpbis-rfc6265bis-02 - Cookies: HTTP State Management Mechanism () https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02#section-5.3.7

[14] Supporting Same-Site Cookies in Firefox 60 | Mozilla Security Blog () https://blog.mozilla.org/security/2018/04/24/same-site-cookies-in-firefox-60/

[15] Previewing support for same-site cookies in Microsoft Edge - Microsoft Edge Dev BlogMicrosoft Edge Dev Blog () https://blogs.windows.com/msedgedev/2018/05/17/samesite-cookies-microsoft-edge-internet-explorer/

[16] Supporting Same-Site Cookies in Firefox 60 | Mozilla Security Blog () https://blog.mozilla.org/security/2018/04/24/same-site-cookies-in-firefox-60/

[17] 459154 - Experiment with "SameSite" cookies. - chromium - Monorail () https://bugs.chromium.org/p/chromium/issues/detail?id=459154

[18] 635882 - When setting a cookie with "SameSite" (without lax or strict) the cookie is not set. - chromium - Monorail () https://bugs.chromium.org/p/chromium/issues/detail?id=635882

[19] 188165 – iOS 12 Safari breaks ASP.NET Core 2.1 OIDC authentication () https://bugs.webkit.org/show_bug.cgi?id=188165

[20] iOS 12 Safari breaks ASP.NET Core 2.1 OIDC authentication () https://social.msdn.microsoft.com/Forums/security/ja-JP/5f0aa4a8-9bfe-4be2-a366-77e6939ae36d/ios-12-safari-breaks-aspnet-core-21-oidc-authentication?forum=WindowsAzureAD

[21] c# - Cookies with a SameSite policy enforced are blocked in iOS 12 for SSO flows involving cross-origin requests - Stack Overflow () https://stackoverflow.com/questions/51982626/cookies-with-a-samesite-policy-enforced-are-blocked-in-ios-12-for-sso-flows-invo

[22] Incrementally Better Cookies () https://mikewest.github.io/cookie-incrementalism/draft-west-cookie-incrementalism.html

[23] Intent to implement: Cookie SameSite=lax by default and SameSite=none only if secure - Google グループ () https://groups.google.com/forum/#!msg/mozilla.dev.platform/nx2uP0CzA9k/BNVPWDHsAQAJ

[24] 1551798 - Prototype SameSite=Lax by default () https://bugzilla.mozilla.org/show_bug.cgi?id=1551798

[25] 198181 – Cookies with SameSite=None or SameSite=invalid treated as Strict () https://bugs.webkit.org/show_bug.cgi?id=198181

[26] Chromium Blog: Temporarily rolling back SameSite Cookie Changes () https://blog.chromium.org/2020/04/temporarily-rolling-back-samesite.html

[27] Chromium Blog: Resuming SameSite Cookie Changes in July () https://blog.chromium.org/2020/05/resuming-samesite-cookie-changes-in-july.html

[28] Schemeful same-site - Chrome Platform Status () https://www.chromestatus.com/feature/5096179480133632

[29] draft-ietf-httpbis-cookie-same-site-00 - Same-Site Cookies (, ) https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00

[30] draft-west-cookie-incrementalism-01 - Incrementally Better Cookies (, ) https://tools.ietf.org/html/draft-west-cookie-incrementalism-01

[31] draft-west-cookie-samesite-firstparty-01 - First-Party Sets and SameSite Cookies (, ) https://tools.ietf.org/html/draft-west-cookie-samesite-firstparty-01

[33] 194906 – Same Site Lax cookies are not sent with cross-site redirect from client-initiated load, https://bugs.webkit.org/show_bug.cgi?id=194906

[32] 196375 – Safari (still) doesn't send Lax cookies after a cross-site redirection, https://bugs.webkit.org/show_bug.cgi?id=196375