From 18ce5e07a9db2f447e4a452b2d50db5929a595dd Mon Sep 17 00:00:00 2001 From: Aaron Selya Date: Thu, 28 Mar 2024 11:31:50 -0400 Subject: [PATCH 01/56] Create hasCrossSiteAncestor.md Add initial proposal --- proposals/hasCrossSiteAncestor.md | 89 +++++++++++++++++++++++++++++++ 1 file changed, 89 insertions(+) create mode 100644 proposals/hasCrossSiteAncestor.md diff --git a/proposals/hasCrossSiteAncestor.md b/proposals/hasCrossSiteAncestor.md new file mode 100644 index 00000000..705ae0df --- /dev/null +++ b/proposals/hasCrossSiteAncestor.md @@ -0,0 +1,89 @@ +# Proposal: Update Extensions to interact with Partitioned Cookies containing Cross-Site Ancestor Chain Bit values> + + +**Summary** + +Allow extensions to utilize a hasCrossSiteAncestor boolean value when interacting with partitioned cookies. + +**Document Metadata** + +**Author:** aselya + +**Sponsoring Browser:** Chrome + +**Contributors:** DCtheTall + +**Created:** 2024-03-28 + +**Related Issues:** [How do Partitioned cookies interact with browser extensions?](https://github.com/privacycg/CHIPS/issues/6) + +## Motivation +Chrome is adding a cross-site ancestor bit value to partitioned cookies. + +### Objective +To interact with partitioned cookies in containing a cross-site ancestor chain bit correctly, extensions will need to have the ability to interact with the bit. + +#### Use Cases + +The methods used to get, set, remove and getAll cookies. + +### Known Consumers +All adopters of partitioned cookies +## Specification + +### Schema + +Addition of a new optional boolean value hasCrossSiteAncestor to the details partitionKey of cookies +```json +details { + "partitionKey": { + "hasCrossSiteAncestor" : boolean + } +} +``` +The partitionKey is part of the existing object Cookie details which is used by the methods cookies.get(), cookies.set(), cookies.remove() and cookies.getAll(). + +### New Permissions + +None + +### Manifest File Changes + +No new manifest fields + +## Security and Privacy + + +### Exposed Sensitive Data + + +### Abuse Mitigations + +A cookie may only have no cross-site ancestor when the topLevelSite in the partitionKey and the URL with which the cookie is associated with are first party to each other. To prevent the setting of cookies that violate this, the set method will return an error if the URL and the topLevelSite are not first party for cookies that are set with no-cross site ancestor. + +### Additional Security Considerations + +## Alternatives + +### Existing Workarounds + +Developers could allow browsers to deduce the value of the cross-site ancestor chain bit from the URL associated with the cookie and the topLevelSite in the partitionKey but that would not always be accurate and could lead to some cookies being inaccessible in an A1->B->A2 situation. + +### Open Web API + +The APIs being expanded to include the hasCrossSiteAncestor boolean are specific to extensions. + +## Implementation Notes + +cookies.get() +If there is a partitionKey present and it has a value for topLevelSite but no value for hasCrossSiteAncestor, the get method will try to deduce what the value for hasCrossSiteAncestor is likely to be when getting the cookie. In the event that the value is incorrect, developers can either pass the correct value for hasCrossSiteAncestor or use cookies.getAll() with no hasCrossSiteAncestor value set. + +cookies.getAll() +If no value is set for hasCrossSiteAncestor cookies with both true and false values for hasCrossSiteAncestor will be returned. + +cookies.set() +As described the Abuse Mitigations section, this method will not allow a hasCrossSiteAncestor value of false, if the URL associated with the cookie and the topLevelSite in the partitionKey are not first party. + +cookies.remove() +If no value is set for hasCrossSiteAncestor, cookies.remove() will remove cookies with both true and false values. + From deb0dd7790829482cae5b2c23b3d2cfd3162e077 Mon Sep 17 00:00:00 2001 From: Aaron Selya Date: Fri, 29 Mar 2024 13:54:17 -0400 Subject: [PATCH 02/56] Update hasCrossSiteAncestor.md Updates for clarity --- proposals/hasCrossSiteAncestor.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/proposals/hasCrossSiteAncestor.md b/proposals/hasCrossSiteAncestor.md index 705ae0df..9a175e60 100644 --- a/proposals/hasCrossSiteAncestor.md +++ b/proposals/hasCrossSiteAncestor.md @@ -13,15 +13,16 @@ Allow extensions to utilize a hasCrossSiteAncestor boolean value when interactin **Contributors:** DCtheTall -**Created:** 2024-03-28 +**Created:** 2024-03-29 **Related Issues:** [How do Partitioned cookies interact with browser extensions?](https://github.com/privacycg/CHIPS/issues/6) ## Motivation -Chrome is adding a cross-site ancestor bit value to partitioned cookies. +Chrome is adding a cross-site ancestor bit value to partitioned cookies. +[https://github.com/privacycg/CHIPS/issues/40]([https://github.com/privacycg/CHIPS/issues/40](https://github.com/privacycg/CHIPS/issues/40#issuecomment-1883726735)) ### Objective -To interact with partitioned cookies in containing a cross-site ancestor chain bit correctly, extensions will need to have the ability to interact with the bit. +To interact with partitioned cookies in containing a cross-site ancestor chain bit correctly, extensions will need to have the ability to interact with the cross-site ancestor chain bit. #### Use Cases @@ -52,10 +53,10 @@ None No new manifest fields ## Security and Privacy - +The cross-site ancestor chain bit does not reveal private information and the inclusion of the value helps protect against clickjacking attacks. ### Exposed Sensitive Data - +No sensitive data is associated with the cross-site ancestor chain bit. ### Abuse Mitigations @@ -67,7 +68,7 @@ A cookie may only have no cross-site ancestor when the topLevelSite in the parti ### Existing Workarounds -Developers could allow browsers to deduce the value of the cross-site ancestor chain bit from the URL associated with the cookie and the topLevelSite in the partitionKey but that would not always be accurate and could lead to some cookies being inaccessible in an A1->B->A2 situation. +Developers could allow browsers to deduce the value of the cross-site ancestor chain bit from the URL associated with the cookie and the topLevelSite in the partitionKey but that would not always be accurate. Those inaccuracies could lead to some cookies being inaccessible in an A1->B->A2 situation. ### Open Web API @@ -85,5 +86,5 @@ cookies.set() As described the Abuse Mitigations section, this method will not allow a hasCrossSiteAncestor value of false, if the URL associated with the cookie and the topLevelSite in the partitionKey are not first party. cookies.remove() -If no value is set for hasCrossSiteAncestor, cookies.remove() will remove cookies with both true and false values. +If no value is set for hasCrossSiteAncestor, cookies.remove() will remove cookies with both true and false values. If no topLevelSite value is included in the partitionKey object, no cookies will be removed and an error will be returned. From 9d579c2ac9d84f4ee6b007e04633e6509ad3adc7 Mon Sep 17 00:00:00 2001 From: Aaron Selya Date: Fri, 29 Mar 2024 13:57:56 -0400 Subject: [PATCH 03/56] Update hasCrossSiteAncestor.md Update formatting of url --- proposals/hasCrossSiteAncestor.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/proposals/hasCrossSiteAncestor.md b/proposals/hasCrossSiteAncestor.md index 9a175e60..02102c51 100644 --- a/proposals/hasCrossSiteAncestor.md +++ b/proposals/hasCrossSiteAncestor.md @@ -18,8 +18,7 @@ Allow extensions to utilize a hasCrossSiteAncestor boolean value when interactin **Related Issues:** [How do Partitioned cookies interact with browser extensions?](https://github.com/privacycg/CHIPS/issues/6) ## Motivation -Chrome is adding a cross-site ancestor bit value to partitioned cookies. -[https://github.com/privacycg/CHIPS/issues/40]([https://github.com/privacycg/CHIPS/issues/40](https://github.com/privacycg/CHIPS/issues/40#issuecomment-1883726735)) +[Chrome](https://github.com/privacycg/CHIPS/issues/40) is adding a cross-site ancestor bit value to partitioned cookies. ### Objective To interact with partitioned cookies in containing a cross-site ancestor chain bit correctly, extensions will need to have the ability to interact with the cross-site ancestor chain bit. From 33d24cc7d5cd7f785428a8a629677e12bcf10f15 Mon Sep 17 00:00:00 2001 From: Aaron Selya Date: Sun, 31 Mar 2024 00:26:42 -0400 Subject: [PATCH 04/56] Update hasCrossSiteAncestor.md Updates in phrasing and document organization. --- proposals/hasCrossSiteAncestor.md | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/proposals/hasCrossSiteAncestor.md b/proposals/hasCrossSiteAncestor.md index 02102c51..b80727fa 100644 --- a/proposals/hasCrossSiteAncestor.md +++ b/proposals/hasCrossSiteAncestor.md @@ -25,10 +25,11 @@ To interact with partitioned cookies in containing a cross-site ancestor chain b #### Use Cases -The methods used to get, set, remove and getAll cookies. +The methods used to get, set, remove and getAll cookies for extensions. ### Known Consumers All adopters of partitioned cookies + ## Specification ### Schema @@ -44,46 +45,45 @@ details { The partitionKey is part of the existing object Cookie details which is used by the methods cookies.get(), cookies.set(), cookies.remove() and cookies.getAll(). ### New Permissions - -None +No new permissions are required. ### Manifest File Changes - -No new manifest fields +No new manifest fields are required. ## Security and Privacy -The cross-site ancestor chain bit does not reveal private information and the inclusion of the value helps protect against clickjacking attacks. +Privacy: The cross-site ancestor chain bit does not reveal private information so at worst it is a privacy neutral change. + +Security: The inclusion of the value helps protect against clickjacking attacks. ### Exposed Sensitive Data No sensitive data is associated with the cross-site ancestor chain bit. ### Abuse Mitigations - A cookie may only have no cross-site ancestor when the topLevelSite in the partitionKey and the URL with which the cookie is associated with are first party to each other. To prevent the setting of cookies that violate this, the set method will return an error if the URL and the topLevelSite are not first party for cookies that are set with no-cross site ancestor. ### Additional Security Considerations +None ## Alternatives +The hasCrossSiteAncestor value could be a value that is not exposed to extensions at all. Browsers could deduce the value of the cross-site ancestor chain bit from the URL associated with the cookie and the topLevelSite in the partitionKey but that would not always be accurate. Those inaccuracies could lead to some cookies from being inaccessible in an A1->B->A2 situation. ### Existing Workarounds - -Developers could allow browsers to deduce the value of the cross-site ancestor chain bit from the URL associated with the cookie and the topLevelSite in the partitionKey but that would not always be accurate. Those inaccuracies could lead to some cookies being inaccessible in an A1->B->A2 situation. +To access cookies with the same topLevelSite but different hasCrossSiteAncestor values (A1->B->A2 context), developers can remove the partitioned attribute from the cookie and use the Storage Access Api. ### Open Web API - The APIs being expanded to include the hasCrossSiteAncestor boolean are specific to extensions. ## Implementation Notes - -cookies.get() +APIs affected by the change and the behavior assoicated with the change: +### cookies.get(): If there is a partitionKey present and it has a value for topLevelSite but no value for hasCrossSiteAncestor, the get method will try to deduce what the value for hasCrossSiteAncestor is likely to be when getting the cookie. In the event that the value is incorrect, developers can either pass the correct value for hasCrossSiteAncestor or use cookies.getAll() with no hasCrossSiteAncestor value set. -cookies.getAll() +### cookies.getAll(): If no value is set for hasCrossSiteAncestor cookies with both true and false values for hasCrossSiteAncestor will be returned. -cookies.set() +### cookies.set(): As described the Abuse Mitigations section, this method will not allow a hasCrossSiteAncestor value of false, if the URL associated with the cookie and the topLevelSite in the partitionKey are not first party. -cookies.remove() +### cookies.remove() If no value is set for hasCrossSiteAncestor, cookies.remove() will remove cookies with both true and false values. If no topLevelSite value is included in the partitionKey object, no cookies will be removed and an error will be returned. From e991178b7a34c4a0cafbcddc6eea96754b91f4d8 Mon Sep 17 00:00:00 2001 From: Aaron Selya Date: Sun, 31 Mar 2024 11:32:04 -0400 Subject: [PATCH 05/56] Update hasCrossSiteAncestor.md Additional details --- proposals/hasCrossSiteAncestor.md | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/proposals/hasCrossSiteAncestor.md b/proposals/hasCrossSiteAncestor.md index b80727fa..5a15543c 100644 --- a/proposals/hasCrossSiteAncestor.md +++ b/proposals/hasCrossSiteAncestor.md @@ -1,9 +1,8 @@ -# Proposal: Update Extensions to interact with Partitioned Cookies containing Cross-Site Ancestor Chain Bit values> - +# Proposal: Update Extensions to interact with Partitioned Cookies containing Cross-Site Ancestor Chain Bit values **Summary** -Allow extensions to utilize a hasCrossSiteAncestor boolean value when interacting with partitioned cookies. +Allow extensions to utilize a hasCrossSiteAncestor boolean value when interacting with partitioned cookies that include a cross-site ancestor chain bit in their PartitionKey. **Document Metadata** @@ -13,7 +12,7 @@ Allow extensions to utilize a hasCrossSiteAncestor boolean value when interactin **Contributors:** DCtheTall -**Created:** 2024-03-29 +**Created:** 2024-03-31 **Related Issues:** [How do Partitioned cookies interact with browser extensions?](https://github.com/privacycg/CHIPS/issues/6) @@ -21,7 +20,7 @@ Allow extensions to utilize a hasCrossSiteAncestor boolean value when interactin [Chrome](https://github.com/privacycg/CHIPS/issues/40) is adding a cross-site ancestor bit value to partitioned cookies. ### Objective -To interact with partitioned cookies in containing a cross-site ancestor chain bit correctly, extensions will need to have the ability to interact with the cross-site ancestor chain bit. +To interact with partitioned cookies containing a cross-site ancestor chain bit correctly, extensions will need to have the ability to to specify a value (hasCrossSiteAncestor) that cooresponds to the value of the cross-site ancestor chain bit in partitioned cookies. #### Use Cases @@ -34,15 +33,15 @@ All adopters of partitioned cookies ### Schema -Addition of a new optional boolean value hasCrossSiteAncestor to the details partitionKey of cookies +Addition of a new optional boolean value hasCrossSiteAncestor to the partitionKey of cookies. The partitionKey is part of the existing details object which is used by extensions in the methods cookies.get(), cookies.set(), cookies.remove() and cookies.getAll(). + ```json -details { +"details" { "partitionKey": { "hasCrossSiteAncestor" : boolean } } ``` -The partitionKey is part of the existing object Cookie details which is used by the methods cookies.get(), cookies.set(), cookies.remove() and cookies.getAll(). ### New Permissions No new permissions are required. @@ -59,13 +58,13 @@ Security: The inclusion of the value helps protect against clickjacking attacks. No sensitive data is associated with the cross-site ancestor chain bit. ### Abuse Mitigations -A cookie may only have no cross-site ancestor when the topLevelSite in the partitionKey and the URL with which the cookie is associated with are first party to each other. To prevent the setting of cookies that violate this, the set method will return an error if the URL and the topLevelSite are not first party for cookies that are set with no-cross site ancestor. +A cookie may only have no cross-site ancestor when the topLevelSite in the partitionKey and the URL with which the cookie is associated with are first party to each other. To prevent the creation of cookies that violate this, the set method will return an error if the URL and the topLevelSite are not first party for cookies that are set with no-cross site ancestor. ### Additional Security Considerations None ## Alternatives -The hasCrossSiteAncestor value could be a value that is not exposed to extensions at all. Browsers could deduce the value of the cross-site ancestor chain bit from the URL associated with the cookie and the topLevelSite in the partitionKey but that would not always be accurate. Those inaccuracies could lead to some cookies from being inaccessible in an A1->B->A2 situation. +The hasCrossSiteAncestor value could be a value that is not exposed to extensions at all. Browsers that choose to include a cross-site ancestor chain bit in their partitioned cookies, could calculate the expected value of the cross-site ancestor chain bit from the URL associated with the cookie and the topLevelSite in the partitionKey. However, this could cause extensions to be unable to correctly set or get cookies (in an A1->B->A2 situation) as the browser may calculate the incorrect value for hasCrossSiteAncestor since it would not be explicitly provided by the extension. ### Existing Workarounds To access cookies with the same topLevelSite but different hasCrossSiteAncestor values (A1->B->A2 context), developers can remove the partitioned attribute from the cookie and use the Storage Access Api. @@ -79,7 +78,7 @@ APIs affected by the change and the behavior assoicated with the change: If there is a partitionKey present and it has a value for topLevelSite but no value for hasCrossSiteAncestor, the get method will try to deduce what the value for hasCrossSiteAncestor is likely to be when getting the cookie. In the event that the value is incorrect, developers can either pass the correct value for hasCrossSiteAncestor or use cookies.getAll() with no hasCrossSiteAncestor value set. ### cookies.getAll(): -If no value is set for hasCrossSiteAncestor cookies with both true and false values for hasCrossSiteAncestor will be returned. +If no value is set for hasCrossSiteAncestor cookies with both true and false values for hasCrossSiteAncestor will be returned. Otherwise, cookies will be returned that match the topLevelSite and the passed value for hasCrossSiteAncestor. ### cookies.set(): As described the Abuse Mitigations section, this method will not allow a hasCrossSiteAncestor value of false, if the URL associated with the cookie and the topLevelSite in the partitionKey are not first party. From 5ce6b563c1ca30ef8b24cc72e9811258937e6cb9 Mon Sep 17 00:00:00 2001 From: Aaron Selya Date: Mon, 1 Apr 2024 10:16:33 -0400 Subject: [PATCH 06/56] Update hasCrossSiteAncestor.md Additional content and formatting --- proposals/hasCrossSiteAncestor.md | 31 +++++++++++++++++-------------- 1 file changed, 17 insertions(+), 14 deletions(-) diff --git a/proposals/hasCrossSiteAncestor.md b/proposals/hasCrossSiteAncestor.md index 5a15543c..ff37d4af 100644 --- a/proposals/hasCrossSiteAncestor.md +++ b/proposals/hasCrossSiteAncestor.md @@ -2,7 +2,7 @@ **Summary** -Allow extensions to utilize a hasCrossSiteAncestor boolean value when interacting with partitioned cookies that include a cross-site ancestor chain bit in their PartitionKey. +Allow extensions to utilize a hasCrossSiteAncestor boolean value when interacting with partitioned cookies that include a cross-site ancestor chain bit in their partiton key. **Document Metadata** @@ -12,7 +12,7 @@ Allow extensions to utilize a hasCrossSiteAncestor boolean value when interactin **Contributors:** DCtheTall -**Created:** 2024-03-31 +**Created:** 2024-04-01 **Related Issues:** [How do Partitioned cookies interact with browser extensions?](https://github.com/privacycg/CHIPS/issues/6) @@ -24,7 +24,7 @@ To interact with partitioned cookies containing a cross-site ancestor chain bit #### Use Cases -The methods used to get, set, remove and getAll cookies for extensions. +The methods used to get, set, remove and getAll cookies. ### Known Consumers All adopters of partitioned cookies @@ -33,12 +33,14 @@ All adopters of partitioned cookies ### Schema -Addition of a new optional boolean value hasCrossSiteAncestor to the partitionKey of cookies. The partitionKey is part of the existing details object which is used by extensions in the methods cookies.get(), cookies.set(), cookies.remove() and cookies.getAll(). +Adds a new optional boolean value hasCrossSiteAncestor to the partitionKey of the cookies details object. Which is the parameter used in the methods `cookies.get()`, `cookies.set()`, `cookies.remove()` and `cookies.getAll()`. -```json +``` +//Cookie details object with partitionKey containing hasCrossSiteAncestor value of true. "details" { "partitionKey": { - "hasCrossSiteAncestor" : boolean + "topLevelSite" : "https://example.com" + "hasCrossSiteAncestor" : true } } ``` @@ -50,9 +52,9 @@ No new permissions are required. No new manifest fields are required. ## Security and Privacy -Privacy: The cross-site ancestor chain bit does not reveal private information so at worst it is a privacy neutral change. +Privacy: The hasCrossSiteAncestor boolean value does not reveal private information. -Security: The inclusion of the value helps protect against clickjacking attacks. +Security: The hasCrossSiteAncestor boolean value does not impact security. ### Exposed Sensitive Data No sensitive data is associated with the cross-site ancestor chain bit. @@ -74,15 +76,16 @@ The APIs being expanded to include the hasCrossSiteAncestor boolean are specific ## Implementation Notes APIs affected by the change and the behavior assoicated with the change: -### cookies.get(): + +- `cookies.get()`: If there is a partitionKey present and it has a value for topLevelSite but no value for hasCrossSiteAncestor, the get method will try to deduce what the value for hasCrossSiteAncestor is likely to be when getting the cookie. In the event that the value is incorrect, developers can either pass the correct value for hasCrossSiteAncestor or use cookies.getAll() with no hasCrossSiteAncestor value set. -### cookies.getAll(): +- `cookies.getAll()`: If no value is set for hasCrossSiteAncestor cookies with both true and false values for hasCrossSiteAncestor will be returned. Otherwise, cookies will be returned that match the topLevelSite and the passed value for hasCrossSiteAncestor. -### cookies.set(): -As described the Abuse Mitigations section, this method will not allow a hasCrossSiteAncestor value of false, if the URL associated with the cookie and the topLevelSite in the partitionKey are not first party. +- `cookies.set()`: +As described the Abuse Mitigations section, this method will not allow a hasCrossSiteAncestor value of false, if the URL associated with the cookie and the topLevelSite in the partitionKey are not first party. If this is attempted, an error will be returned. If no topLevelSite is provided and a hasCrossSiteAncestor value is provided, the cookie will not be set and an error will be returned. -### cookies.remove() -If no value is set for hasCrossSiteAncestor, cookies.remove() will remove cookies with both true and false values. If no topLevelSite value is included in the partitionKey object, no cookies will be removed and an error will be returned. +- `cookies.remove()`: +If no value is set for hasCrossSiteAncestor, cookies.remove() will remove cookies with both true and false values. If no topLevelSite value is included in the partitionKey object and a value is set for hasCrossSiteAncestor, no cookies will be removed and an error will be returned. From 04e4a6e9f774aef32e66c80f7408541c832a82d8 Mon Sep 17 00:00:00 2001 From: Aaron Selya Date: Tue, 2 Apr 2024 09:17:14 -0400 Subject: [PATCH 07/56] Update proposals/hasCrossSiteAncestor.md Update pr to incorporate reviewer feedback. Co-authored-by: Rob Wu --- proposals/hasCrossSiteAncestor.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/hasCrossSiteAncestor.md b/proposals/hasCrossSiteAncestor.md index ff37d4af..21f16983 100644 --- a/proposals/hasCrossSiteAncestor.md +++ b/proposals/hasCrossSiteAncestor.md @@ -69,7 +69,7 @@ None The hasCrossSiteAncestor value could be a value that is not exposed to extensions at all. Browsers that choose to include a cross-site ancestor chain bit in their partitioned cookies, could calculate the expected value of the cross-site ancestor chain bit from the URL associated with the cookie and the topLevelSite in the partitionKey. However, this could cause extensions to be unable to correctly set or get cookies (in an A1->B->A2 situation) as the browser may calculate the incorrect value for hasCrossSiteAncestor since it would not be explicitly provided by the extension. ### Existing Workarounds -To access cookies with the same topLevelSite but different hasCrossSiteAncestor values (A1->B->A2 context), developers can remove the partitioned attribute from the cookie and use the Storage Access Api. +To access cookies with the same `topLevelSite` but different `hasCrossSiteAncestor` values (A1->B->A2 context), developers can remove the `Partitioned` attribute from the cookie and use the Storage Access API in the context of web pages. ### Open Web API The APIs being expanded to include the hasCrossSiteAncestor boolean are specific to extensions. From 327ea24ba23554f4132c7e2b496b7d6aaa534f1a Mon Sep 17 00:00:00 2001 From: Aaron Selya Date: Tue, 2 Apr 2024 09:42:39 -0400 Subject: [PATCH 08/56] Update proposals/hasCrossSiteAncestor.md Update to reflect reviewer suggestion. Co-authored-by: Rob Wu --- proposals/hasCrossSiteAncestor.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/proposals/hasCrossSiteAncestor.md b/proposals/hasCrossSiteAncestor.md index 21f16983..8b952be9 100644 --- a/proposals/hasCrossSiteAncestor.md +++ b/proposals/hasCrossSiteAncestor.md @@ -33,7 +33,9 @@ All adopters of partitioned cookies ### Schema -Adds a new optional boolean value hasCrossSiteAncestor to the partitionKey of the cookies details object. Which is the parameter used in the methods `cookies.get()`, `cookies.set()`, `cookies.remove()` and `cookies.getAll()`. +Adds a new boolean property `hasCrossSiteAncestor` to the `partitionKey` property of the `cookies.Cookie` type. + +Adds a new optional boolean property `hasCrossSiteAncestor` to the `partitionKey` property of the details object. Which is the parameter used in the methods `cookies.get()`, `cookies.set()`, `cookies.remove()` and `cookies.getAll()`. ``` //Cookie details object with partitionKey containing hasCrossSiteAncestor value of true. From 150ffbfaec733596aa5f6b21127701ce14490678 Mon Sep 17 00:00:00 2001 From: Aaron Selya Date: Tue, 2 Apr 2024 09:43:33 -0400 Subject: [PATCH 09/56] Update proposals/hasCrossSiteAncestor.md Update to remove reference to Chrome Co-authored-by: Rob Wu --- proposals/hasCrossSiteAncestor.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/hasCrossSiteAncestor.md b/proposals/hasCrossSiteAncestor.md index 8b952be9..ec506fc1 100644 --- a/proposals/hasCrossSiteAncestor.md +++ b/proposals/hasCrossSiteAncestor.md @@ -17,7 +17,7 @@ Allow extensions to utilize a hasCrossSiteAncestor boolean value when interactin **Related Issues:** [How do Partitioned cookies interact with browser extensions?](https://github.com/privacycg/CHIPS/issues/6) ## Motivation -[Chrome](https://github.com/privacycg/CHIPS/issues/40) is adding a cross-site ancestor bit value to partitioned cookies. +https://github.com/privacycg/CHIPS/issues/40 is adding a cross-site ancestor bit value to partitioned cookies. ### Objective To interact with partitioned cookies containing a cross-site ancestor chain bit correctly, extensions will need to have the ability to to specify a value (hasCrossSiteAncestor) that cooresponds to the value of the cross-site ancestor chain bit in partitioned cookies. From 0c88b2f84960d26d47a907fd89c292b60aec9111 Mon Sep 17 00:00:00 2001 From: Aaron Selya Date: Tue, 2 Apr 2024 09:44:09 -0400 Subject: [PATCH 10/56] Update proposals/hasCrossSiteAncestor.md Co-authored-by: Rob Wu --- proposals/hasCrossSiteAncestor.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/hasCrossSiteAncestor.md b/proposals/hasCrossSiteAncestor.md index ec506fc1..bd666a48 100644 --- a/proposals/hasCrossSiteAncestor.md +++ b/proposals/hasCrossSiteAncestor.md @@ -14,7 +14,7 @@ Allow extensions to utilize a hasCrossSiteAncestor boolean value when interactin **Created:** 2024-04-01 -**Related Issues:** [How do Partitioned cookies interact with browser extensions?](https://github.com/privacycg/CHIPS/issues/6) +**Related Issues:** [PrivacyCG/CHIPS issue 6 - How do Partitioned cookies interact with browser extensions?](https://github.com/privacycg/CHIPS/issues/6) ## Motivation https://github.com/privacycg/CHIPS/issues/40 is adding a cross-site ancestor bit value to partitioned cookies. From f06414641afa5696c47c37fe3bdaa6ddacd7771e Mon Sep 17 00:00:00 2001 From: Aaron Selya Date: Tue, 2 Apr 2024 09:45:28 -0400 Subject: [PATCH 11/56] Update proposals/hasCrossSiteAncestor.md Co-authored-by: Rob Wu --- proposals/hasCrossSiteAncestor.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/hasCrossSiteAncestor.md b/proposals/hasCrossSiteAncestor.md index bd666a48..5729f81a 100644 --- a/proposals/hasCrossSiteAncestor.md +++ b/proposals/hasCrossSiteAncestor.md @@ -27,7 +27,7 @@ To interact with partitioned cookies containing a cross-site ancestor chain bit The methods used to get, set, remove and getAll cookies. ### Known Consumers -All adopters of partitioned cookies +All extensions that access and/or modify cookies with awareness of partitioned cookies, through the use of the `partitionKey` property in the `cookies` extension API. ## Specification From c341071eecaed2d2773a3f21b754ef1be2cf7976 Mon Sep 17 00:00:00 2001 From: Aaron Selya Date: Tue, 2 Apr 2024 09:46:01 -0400 Subject: [PATCH 12/56] Update proposals/hasCrossSiteAncestor.md Co-authored-by: Rob Wu --- proposals/hasCrossSiteAncestor.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/hasCrossSiteAncestor.md b/proposals/hasCrossSiteAncestor.md index 5729f81a..2f52ace4 100644 --- a/proposals/hasCrossSiteAncestor.md +++ b/proposals/hasCrossSiteAncestor.md @@ -20,7 +20,7 @@ Allow extensions to utilize a hasCrossSiteAncestor boolean value when interactin https://github.com/privacycg/CHIPS/issues/40 is adding a cross-site ancestor bit value to partitioned cookies. ### Objective -To interact with partitioned cookies containing a cross-site ancestor chain bit correctly, extensions will need to have the ability to to specify a value (hasCrossSiteAncestor) that cooresponds to the value of the cross-site ancestor chain bit in partitioned cookies. +To interact with partitioned cookies containing a cross-site ancestor chain bit correctly, extensions will need to have the ability to to specify a value (hasCrossSiteAncestor) that corresponds to the value of the cross-site ancestor chain bit in partitioned cookies. #### Use Cases From 769663c9199a94319724eeeecf3ccfeb23d47b05 Mon Sep 17 00:00:00 2001 From: Aaron Selya Date: Tue, 2 Apr 2024 11:05:12 -0400 Subject: [PATCH 13/56] Update hasCrossSiteAncestor.md Add use case --- proposals/hasCrossSiteAncestor.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/proposals/hasCrossSiteAncestor.md b/proposals/hasCrossSiteAncestor.md index 2f52ace4..8db26946 100644 --- a/proposals/hasCrossSiteAncestor.md +++ b/proposals/hasCrossSiteAncestor.md @@ -24,7 +24,10 @@ To interact with partitioned cookies containing a cross-site ancestor chain bit #### Use Cases -The methods used to get, set, remove and getAll cookies. +#### Password Manager: +Let’s say a password manager extension (with host permissions) is used by users to access their login information by setting a cookie that stores their usernames and passwords in an encrypted partitioned cookie. To protect their users against clickjacking, the extension adds a setting that prevents their cookies from being accessed, by default, in embeds that have cross site ancestors without triggering a user prompt. If permission is given through the prompt, the extension sets a cookie with a hasCrossSiteAncestor value of true. Upon subsequent visits, the extension checks the cookie store for the presence of a cookie with a hasCrossSiteAncestor value of true to determine whether the prompt needs to be rendered. + +To allow for this protection and UX flow to work, the extension would need to have the ability to set/get cookies with specific hasCrossSiteAncestor values. ### Known Consumers All extensions that access and/or modify cookies with awareness of partitioned cookies, through the use of the `partitionKey` property in the `cookies` extension API. From 70a32808f49160255873f863d3b0531537c8fe61 Mon Sep 17 00:00:00 2001 From: Aaron Selya Date: Tue, 2 Apr 2024 11:53:27 -0400 Subject: [PATCH 14/56] Update hasCrossSiteAncestor.md Added background information on x-site ancestor chain bit --- proposals/hasCrossSiteAncestor.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/proposals/hasCrossSiteAncestor.md b/proposals/hasCrossSiteAncestor.md index 8db26946..d9fdc657 100644 --- a/proposals/hasCrossSiteAncestor.md +++ b/proposals/hasCrossSiteAncestor.md @@ -4,6 +4,23 @@ Allow extensions to utilize a hasCrossSiteAncestor boolean value when interacting with partitioned cookies that include a cross-site ancestor chain bit in their partiton key. +#### Brackground information: Description of Cross-site Ancestor Chain Bit in partitioned cookies + +A cross-site ancestor chain bit is a value that is set by the browser when a paritioned cookie is created. The value is used as part of the key in the partition key to determine access to a partitioned cookie. If the bit indicates true, if the cookie has been set in a third third party context. + +A third party context occurs when any parent frame, in the frame tree, is cross-site with the frame the cookie is being set on. If one site of the frame tree is third party, then all children frames of that frame are also third party and have a cross site ancestor. + + +| Site frame tree |Site cookie is set on| hasCrossSiteAncestor value of cookie| +|---|---|--| +| A1 |A1| false | +| A1->A2 |A2 | false | +| A1->A2->A3 |A3 | false | +| A1->B |B| true | +| A1->B->A2 |A1 | false | +| A1->B->A2 |B | true | +| A1->B->A2 |A2 | true | + **Document Metadata** **Author:** aselya From ffb23e1af281102a250b895c956328da84cf7923 Mon Sep 17 00:00:00 2001 From: Aaron Selya Date: Mon, 8 Apr 2024 13:30:49 -0400 Subject: [PATCH 15/56] Update hasCrossSiteAncestor.md Update language for cookies.remove() --- proposals/hasCrossSiteAncestor.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/hasCrossSiteAncestor.md b/proposals/hasCrossSiteAncestor.md index d9fdc657..2b9b608c 100644 --- a/proposals/hasCrossSiteAncestor.md +++ b/proposals/hasCrossSiteAncestor.md @@ -109,5 +109,5 @@ If no value is set for hasCrossSiteAncestor cookies with both true and false val As described the Abuse Mitigations section, this method will not allow a hasCrossSiteAncestor value of false, if the URL associated with the cookie and the topLevelSite in the partitionKey are not first party. If this is attempted, an error will be returned. If no topLevelSite is provided and a hasCrossSiteAncestor value is provided, the cookie will not be set and an error will be returned. - `cookies.remove()`: -If no value is set for hasCrossSiteAncestor, cookies.remove() will remove cookies with both true and false values. If no topLevelSite value is included in the partitionKey object and a value is set for hasCrossSiteAncestor, no cookies will be removed and an error will be returned. +If no value is set for hasCrossSiteAncestor, cookies.remove() will not consider the hasCrossSiteAncestor value when determing the cookie to remove. If no topLevelSite value is included in the partitionKey object and a value is set for hasCrossSiteAncestor, no cookie will be removed and an error will be returned. From 582b880a67ea61ef53352c7aa3ec3f695909ea33 Mon Sep 17 00:00:00 2001 From: Aaron Selya Date: Mon, 8 Apr 2024 16:45:30 -0400 Subject: [PATCH 16/56] Update proposals/hasCrossSiteAncestor.md Co-authored-by: Oliver Dunk --- proposals/hasCrossSiteAncestor.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/hasCrossSiteAncestor.md b/proposals/hasCrossSiteAncestor.md index 2b9b608c..70fd0afa 100644 --- a/proposals/hasCrossSiteAncestor.md +++ b/proposals/hasCrossSiteAncestor.md @@ -4,7 +4,7 @@ Allow extensions to utilize a hasCrossSiteAncestor boolean value when interacting with partitioned cookies that include a cross-site ancestor chain bit in their partiton key. -#### Brackground information: Description of Cross-site Ancestor Chain Bit in partitioned cookies +#### Background information: Description of Cross-site Ancestor Chain Bit in partitioned cookies A cross-site ancestor chain bit is a value that is set by the browser when a paritioned cookie is created. The value is used as part of the key in the partition key to determine access to a partitioned cookie. If the bit indicates true, if the cookie has been set in a third third party context. From b209dd494c5d344f68d07e1e6010e6922a9c6e14 Mon Sep 17 00:00:00 2001 From: Aaron Selya Date: Mon, 8 Apr 2024 16:45:40 -0400 Subject: [PATCH 17/56] Update proposals/hasCrossSiteAncestor.md Co-authored-by: Oliver Dunk --- proposals/hasCrossSiteAncestor.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/hasCrossSiteAncestor.md b/proposals/hasCrossSiteAncestor.md index 70fd0afa..24029748 100644 --- a/proposals/hasCrossSiteAncestor.md +++ b/proposals/hasCrossSiteAncestor.md @@ -6,7 +6,7 @@ Allow extensions to utilize a hasCrossSiteAncestor boolean value when interactin #### Background information: Description of Cross-site Ancestor Chain Bit in partitioned cookies -A cross-site ancestor chain bit is a value that is set by the browser when a paritioned cookie is created. The value is used as part of the key in the partition key to determine access to a partitioned cookie. If the bit indicates true, if the cookie has been set in a third third party context. +A cross-site ancestor chain bit is a value that is set by the browser when a partitioned cookie is created. The value is used as part of the key in the partition key to determine access to a partitioned cookie. If the bit indicates true, it means the cookie has been set in a third party context. A third party context occurs when any parent frame, in the frame tree, is cross-site with the frame the cookie is being set on. If one site of the frame tree is third party, then all children frames of that frame are also third party and have a cross site ancestor. From bce31623fd9d70e4002fb09a095f17d362d4d510 Mon Sep 17 00:00:00 2001 From: Aaron Selya Date: Mon, 8 Apr 2024 16:45:54 -0400 Subject: [PATCH 18/56] Update proposals/hasCrossSiteAncestor.md Co-authored-by: Oliver Dunk --- proposals/hasCrossSiteAncestor.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/hasCrossSiteAncestor.md b/proposals/hasCrossSiteAncestor.md index 24029748..8b77e72a 100644 --- a/proposals/hasCrossSiteAncestor.md +++ b/proposals/hasCrossSiteAncestor.md @@ -23,7 +23,7 @@ A third party context occurs when any parent frame, in the frame tree, is cross- **Document Metadata** -**Author:** aselya +**Author:** aselya **Sponsoring Browser:** Chrome From b71a7a792a69e2089ebba5461b6e2425adef2272 Mon Sep 17 00:00:00 2001 From: Aaron Selya Date: Mon, 8 Apr 2024 16:46:09 -0400 Subject: [PATCH 19/56] Update proposals/hasCrossSiteAncestor.md Co-authored-by: Oliver Dunk --- proposals/hasCrossSiteAncestor.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/hasCrossSiteAncestor.md b/proposals/hasCrossSiteAncestor.md index 8b77e72a..d06204a8 100644 --- a/proposals/hasCrossSiteAncestor.md +++ b/proposals/hasCrossSiteAncestor.md @@ -58,7 +58,7 @@ Adds a new boolean property `hasCrossSiteAncestor` to the `partitionKey` propert Adds a new optional boolean property `hasCrossSiteAncestor` to the `partitionKey` property of the details object. Which is the parameter used in the methods `cookies.get()`, `cookies.set()`, `cookies.remove()` and `cookies.getAll()`. ``` -//Cookie details object with partitionKey containing hasCrossSiteAncestor value of true. +// Cookie details object with partitionKey containing hasCrossSiteAncestor value of true. "details" { "partitionKey": { "topLevelSite" : "https://example.com" From 1bcf67826ee94aa3b361b41750eca046aec4df92 Mon Sep 17 00:00:00 2001 From: Aaron Selya Date: Mon, 8 Apr 2024 16:46:24 -0400 Subject: [PATCH 20/56] Update proposals/hasCrossSiteAncestor.md Co-authored-by: Oliver Dunk --- proposals/hasCrossSiteAncestor.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/hasCrossSiteAncestor.md b/proposals/hasCrossSiteAncestor.md index d06204a8..627e191d 100644 --- a/proposals/hasCrossSiteAncestor.md +++ b/proposals/hasCrossSiteAncestor.md @@ -61,7 +61,7 @@ Adds a new optional boolean property `hasCrossSiteAncestor` to the `partitionKey // Cookie details object with partitionKey containing hasCrossSiteAncestor value of true. "details" { "partitionKey": { - "topLevelSite" : "https://example.com" + "topLevelSite" : "https://example.com", "hasCrossSiteAncestor" : true } } From 845f868d85c49ae95343da6c949561cca43912f3 Mon Sep 17 00:00:00 2001 From: Aaron Selya Date: Tue, 9 Apr 2024 11:56:30 -0400 Subject: [PATCH 21/56] Update proposals/hasCrossSiteAncestor.md Co-authored-by: Oliver Dunk --- proposals/hasCrossSiteAncestor.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/hasCrossSiteAncestor.md b/proposals/hasCrossSiteAncestor.md index 627e191d..34fb9eca 100644 --- a/proposals/hasCrossSiteAncestor.md +++ b/proposals/hasCrossSiteAncestor.md @@ -59,7 +59,7 @@ Adds a new optional boolean property `hasCrossSiteAncestor` to the `partitionKey ``` // Cookie details object with partitionKey containing hasCrossSiteAncestor value of true. -"details" { +"details": { "partitionKey": { "topLevelSite" : "https://example.com", "hasCrossSiteAncestor" : true From b2ef5e78252b5dc24d1e9d6d0f0a43959b60f153 Mon Sep 17 00:00:00 2001 From: Aaron Selya Date: Tue, 9 Apr 2024 11:56:38 -0400 Subject: [PATCH 22/56] Update proposals/hasCrossSiteAncestor.md Co-authored-by: Oliver Dunk --- proposals/hasCrossSiteAncestor.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/hasCrossSiteAncestor.md b/proposals/hasCrossSiteAncestor.md index 34fb9eca..a53a6824 100644 --- a/proposals/hasCrossSiteAncestor.md +++ b/proposals/hasCrossSiteAncestor.md @@ -61,7 +61,7 @@ Adds a new optional boolean property `hasCrossSiteAncestor` to the `partitionKey // Cookie details object with partitionKey containing hasCrossSiteAncestor value of true. "details": { "partitionKey": { - "topLevelSite" : "https://example.com", + "topLevelSite": "https://example.com", "hasCrossSiteAncestor" : true } } From ab5eaaa2305c13a0d05d0e8fe8222c3862a0045f Mon Sep 17 00:00:00 2001 From: Aaron Selya Date: Tue, 9 Apr 2024 11:56:44 -0400 Subject: [PATCH 23/56] Update proposals/hasCrossSiteAncestor.md Co-authored-by: Oliver Dunk --- proposals/hasCrossSiteAncestor.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/hasCrossSiteAncestor.md b/proposals/hasCrossSiteAncestor.md index a53a6824..55328d04 100644 --- a/proposals/hasCrossSiteAncestor.md +++ b/proposals/hasCrossSiteAncestor.md @@ -62,7 +62,7 @@ Adds a new optional boolean property `hasCrossSiteAncestor` to the `partitionKey "details": { "partitionKey": { "topLevelSite": "https://example.com", - "hasCrossSiteAncestor" : true + "hasCrossSiteAncestor": true } } ``` From cdf260fd0f75f304e61e695833f6885de236a5e6 Mon Sep 17 00:00:00 2001 From: Aaron Selya Date: Tue, 9 Apr 2024 17:15:32 -0400 Subject: [PATCH 24/56] Update hasCrossSiteAncestor.md Add new use case and add clarification to table --- proposals/hasCrossSiteAncestor.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/proposals/hasCrossSiteAncestor.md b/proposals/hasCrossSiteAncestor.md index 55328d04..e5aebb02 100644 --- a/proposals/hasCrossSiteAncestor.md +++ b/proposals/hasCrossSiteAncestor.md @@ -8,9 +8,9 @@ Allow extensions to utilize a hasCrossSiteAncestor boolean value when interactin A cross-site ancestor chain bit is a value that is set by the browser when a partitioned cookie is created. The value is used as part of the key in the partition key to determine access to a partitioned cookie. If the bit indicates true, it means the cookie has been set in a third party context. -A third party context occurs when any parent frame, in the frame tree, is cross-site with the frame the cookie is being set on. If one site of the frame tree is third party, then all children frames of that frame are also third party and have a cross site ancestor. - +A third party context occurs when any parent frame, in the frame tree, is cross-site with the frame the cookie is being set on. If one site of the frame tree is third party, then all children frames of that frame are also third party and have a cross site ancestor. +Note: In the table below, sites A1, A2 and A3 are all first party to each other. | Site frame tree |Site cookie is set on| hasCrossSiteAncestor value of cookie| |---|---|--| | A1 |A1| false | @@ -41,8 +41,11 @@ To interact with partitioned cookies containing a cross-site ancestor chain bit #### Use Cases +#### Cookie Manager: +Let's say a cookie manager extension (with host permissions) is used by users to get/set/remove their cookies. As browsers include the cross-site ancestor chain bit in their implementation of partitioned cookies, the extension will need the ability to use the `hasCrossSiteAncestor` parameter to give full insight into the existing cookies and allow the user to set new cookies that include the cross-site ancestor bit correctly. + #### Password Manager: -Let’s say a password manager extension (with host permissions) is used by users to access their login information by setting a cookie that stores their usernames and passwords in an encrypted partitioned cookie. To protect their users against clickjacking, the extension adds a setting that prevents their cookies from being accessed, by default, in embeds that have cross site ancestors without triggering a user prompt. If permission is given through the prompt, the extension sets a cookie with a hasCrossSiteAncestor value of true. Upon subsequent visits, the extension checks the cookie store for the presence of a cookie with a hasCrossSiteAncestor value of true to determine whether the prompt needs to be rendered. +Let’s say a password manager extension (with host permissions) is used by users to access their login information by setting a cookie that stores their usernames and passwords in an encrypted partitioned cookie. To protect their users against clickjacking, the extension adds a setting that prevents their cookies from being accessed, by default, in embeds that have cross site ancestors without triggering a user prompt. If permission is given through the prompt, the extension sets a cookie with a `hasCrossSiteAncestor` value of true. Upon subsequent visits, the extension checks the cookie store for the presence of a cookie with a `hasCrossSiteAncestor` value of true to determine whether the prompt needs to be rendered. To allow for this protection and UX flow to work, the extension would need to have the ability to set/get cookies with specific hasCrossSiteAncestor values. From c522cdcf8f0b5a76b445f2b44219c29f675e0cca Mon Sep 17 00:00:00 2001 From: Aaron Selya Date: Tue, 9 Apr 2024 19:10:26 -0400 Subject: [PATCH 25/56] Update proposals/hasCrossSiteAncestor.md Co-authored-by: Rob Wu --- proposals/hasCrossSiteAncestor.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/hasCrossSiteAncestor.md b/proposals/hasCrossSiteAncestor.md index e5aebb02..520ad4f3 100644 --- a/proposals/hasCrossSiteAncestor.md +++ b/proposals/hasCrossSiteAncestor.md @@ -8,7 +8,7 @@ Allow extensions to utilize a hasCrossSiteAncestor boolean value when interactin A cross-site ancestor chain bit is a value that is set by the browser when a partitioned cookie is created. The value is used as part of the key in the partition key to determine access to a partitioned cookie. If the bit indicates true, it means the cookie has been set in a third party context. -A third party context occurs when any parent frame, in the frame tree, is cross-site with the frame the cookie is being set on. If one site of the frame tree is third party, then all children frames of that frame are also third party and have a cross site ancestor. +A third party context occurs when any parent frame, in the frame tree, is cross-site with the frame or subresource the cookie is being set on. If one site of the frame tree is third party, then all children frames of that frame are also third party and have a cross site ancestor. Note: In the table below, sites A1, A2 and A3 are all first party to each other. | Site frame tree |Site cookie is set on| hasCrossSiteAncestor value of cookie| From 85428acd8d40a972a7248a3bb5a1a16eff423403 Mon Sep 17 00:00:00 2001 From: Aaron Selya Date: Thu, 11 Apr 2024 10:58:36 -0400 Subject: [PATCH 26/56] Update hasCrossSiteAncestor.md --- proposals/hasCrossSiteAncestor.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/proposals/hasCrossSiteAncestor.md b/proposals/hasCrossSiteAncestor.md index 520ad4f3..9f05e42c 100644 --- a/proposals/hasCrossSiteAncestor.md +++ b/proposals/hasCrossSiteAncestor.md @@ -6,11 +6,11 @@ Allow extensions to utilize a hasCrossSiteAncestor boolean value when interactin #### Background information: Description of Cross-site Ancestor Chain Bit in partitioned cookies -A cross-site ancestor chain bit is a value that is set by the browser when a partitioned cookie is created. The value is used as part of the key in the partition key to determine access to a partitioned cookie. If the bit indicates true, it means the cookie has been set in a third party context. +The cross-site ancestor chain bit is a component of the cookie partition key that is set by the browser when keys are created. If the bit indicates true, it means the cookie has been set in a third-party context. -A third party context occurs when any parent frame, in the frame tree, is cross-site with the frame or subresource the cookie is being set on. If one site of the frame tree is third party, then all children frames of that frame are also third party and have a cross site ancestor. +A third-party context occurs when any parent frame, in the frame tree, is cross-site with the frame or subresource the cookie is being set on. If one site of the frame tree is third-party, then all children frames of that frame are also third-party and have a cross site ancestor. Third-party contexts also occur when the top-level frame makes a third-party subresource request and when a first-party request is redirected to a thrid-party URL (even if it is subsequently redirected back to a first-party request after, that subsequent first-party request is now considered an ABA request). -Note: In the table below, sites A1, A2 and A3 are all first party to each other. +Note: In the table below, sites A1, A2 and A3 are all first-party to each other. | Site frame tree |Site cookie is set on| hasCrossSiteAncestor value of cookie| |---|---|--| | A1 |A1| false | @@ -23,11 +23,11 @@ Note: In the table below, sites A1, A2 and A3 are all first party to each other. **Document Metadata** -**Author:** aselya +**Author:** [aselya](https://github.com/aselya) **Sponsoring Browser:** Chrome -**Contributors:** DCtheTall +**Contributors:** [DCtheTall](https://github.com/Dcthetall) **Created:** 2024-04-01 @@ -85,7 +85,7 @@ Security: The hasCrossSiteAncestor boolean value does not impact security. No sensitive data is associated with the cross-site ancestor chain bit. ### Abuse Mitigations -A cookie may only have no cross-site ancestor when the topLevelSite in the partitionKey and the URL with which the cookie is associated with are first party to each other. To prevent the creation of cookies that violate this, the set method will return an error if the URL and the topLevelSite are not first party for cookies that are set with no-cross site ancestor. +A cookie may only have no cross-site ancestor when the topLevelSite in the partitionKey and the URL with which the cookie is associated with are first-party to each other. To prevent the creation of cookies that violate this, the set method will return an error if the URL and the topLevelSite are not first-party for cookies that are set with no-cross site ancestor. ### Additional Security Considerations None @@ -109,7 +109,7 @@ If there is a partitionKey present and it has a value for topLevelSite but no va If no value is set for hasCrossSiteAncestor cookies with both true and false values for hasCrossSiteAncestor will be returned. Otherwise, cookies will be returned that match the topLevelSite and the passed value for hasCrossSiteAncestor. - `cookies.set()`: -As described the Abuse Mitigations section, this method will not allow a hasCrossSiteAncestor value of false, if the URL associated with the cookie and the topLevelSite in the partitionKey are not first party. If this is attempted, an error will be returned. If no topLevelSite is provided and a hasCrossSiteAncestor value is provided, the cookie will not be set and an error will be returned. +As described the Abuse Mitigations section, this method will not allow a hasCrossSiteAncestor value of false, if the URL associated with the cookie and the topLevelSite in the partitionKey are not first-party. If this is attempted, an error will be returned. If no topLevelSite is provided and a hasCrossSiteAncestor value is provided, the cookie will not be set and an error will be returned. - `cookies.remove()`: If no value is set for hasCrossSiteAncestor, cookies.remove() will not consider the hasCrossSiteAncestor value when determing the cookie to remove. If no topLevelSite value is included in the partitionKey object and a value is set for hasCrossSiteAncestor, no cookie will be removed and an error will be returned. From 86f0e7f2289856c1d374523caf141d7cb20b2689 Mon Sep 17 00:00:00 2001 From: Aaron Selya Date: Thu, 30 May 2024 18:01:55 -0400 Subject: [PATCH 27/56] Update hasCrossSiteAncestor.md Add language describing logic for determining hasCrossSiteAncestor value when not provided. Update method descriptions to incorporate new language and indicate when errors will be thrown. --- proposals/hasCrossSiteAncestor.md | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/proposals/hasCrossSiteAncestor.md b/proposals/hasCrossSiteAncestor.md index 9f05e42c..83c69796 100644 --- a/proposals/hasCrossSiteAncestor.md +++ b/proposals/hasCrossSiteAncestor.md @@ -100,17 +100,21 @@ To access cookies with the same `topLevelSite` but different `hasCrossSiteAncest The APIs being expanded to include the hasCrossSiteAncestor boolean are specific to extensions. ## Implementation Notes -APIs affected by the change and the behavior assoicated with the change: + +### Populating hasCrossSiteAncestor when not provided +When no value has been provided for `hasCrossSiteAncestor`, if the `domain` associated with the `cookie` is same-site to the value of the `topLevelSite`, the `hasCrossSiteAncestor` value will be set to false otherwise the value will be set to true. + +### APIs affected by the change and the behavior assoicated with the change: - `cookies.get()`: -If there is a partitionKey present and it has a value for topLevelSite but no value for hasCrossSiteAncestor, the get method will try to deduce what the value for hasCrossSiteAncestor is likely to be when getting the cookie. In the event that the value is incorrect, developers can either pass the correct value for hasCrossSiteAncestor or use cookies.getAll() with no hasCrossSiteAncestor value set. +If no `hasCrossSieAncestor` value is provided it will be populated using the algorithim described above. If a `hasCrossSiteAncestor` value is provided without a corresponding `topLevelSite` value, an error will be returned. - `cookies.getAll()`: If no value is set for hasCrossSiteAncestor cookies with both true and false values for hasCrossSiteAncestor will be returned. Otherwise, cookies will be returned that match the topLevelSite and the passed value for hasCrossSiteAncestor. - `cookies.set()`: -As described the Abuse Mitigations section, this method will not allow a hasCrossSiteAncestor value of false, if the URL associated with the cookie and the topLevelSite in the partitionKey are not first-party. If this is attempted, an error will be returned. If no topLevelSite is provided and a hasCrossSiteAncestor value is provided, the cookie will not be set and an error will be returned. +As described the Abuse Mitigations section, this method will not allow a hasCrossSiteAncestor value of false, if the URL associated with the cookie and the topLevelSite in the partitionKey are not first-party. If this is attempted, an error will be returned. If a `hasCrossSiteAncestor` value is provided without a corresponding `topLevelSite` value, an error will be returned. Additionally, if no `hasCrossSieAncestor` value is provided it will be populated using the algorithim described above. - `cookies.remove()`: -If no value is set for hasCrossSiteAncestor, cookies.remove() will not consider the hasCrossSiteAncestor value when determing the cookie to remove. If no topLevelSite value is included in the partitionKey object and a value is set for hasCrossSiteAncestor, no cookie will be removed and an error will be returned. +If no `hasCrossSieAncestor` value is provided it will be populated using the algorithim described above when determing the cookie to remove. If a `hasCrossSiteAncestor` value is provided without a corresponding `topLevelSite` value, an error will be returned. From e244fef3adfa5ae6e1a79889d73913a2944e3f9c Mon Sep 17 00:00:00 2001 From: Aaron Selya Date: Fri, 31 May 2024 13:58:12 -0400 Subject: [PATCH 28/56] Update hasCrossSiteAncestor.md Update table --- proposals/hasCrossSiteAncestor.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/proposals/hasCrossSiteAncestor.md b/proposals/hasCrossSiteAncestor.md index 83c69796..ea539eb5 100644 --- a/proposals/hasCrossSiteAncestor.md +++ b/proposals/hasCrossSiteAncestor.md @@ -11,15 +11,15 @@ The cross-site ancestor chain bit is a component of the cookie partition key tha A third-party context occurs when any parent frame, in the frame tree, is cross-site with the frame or subresource the cookie is being set on. If one site of the frame tree is third-party, then all children frames of that frame are also third-party and have a cross site ancestor. Third-party contexts also occur when the top-level frame makes a third-party subresource request and when a first-party request is redirected to a thrid-party URL (even if it is subsequently redirected back to a first-party request after, that subsequent first-party request is now considered an ABA request). Note: In the table below, sites A1, A2 and A3 are all first-party to each other. -| Site frame tree |Site cookie is set on| hasCrossSiteAncestor value of cookie| -|---|---|--| -| A1 |A1| false | +| Site frame tree |Site cookie is set on| hasCrossSiteAncestor value of cookie| Nodes that can't access the cookie| +|---|---|--|--| +| A1 |A1| false | | | A1->A2 |A2 | false | -| A1->A2->A3 |A3 | false | -| A1->B |B| true | -| A1->B->A2 |A1 | false | -| A1->B->A2 |B | true | -| A1->B->A2 |A2 | true | +| A1->A2->A3 |A3 | false | +| A1->B |B| true | B| +| A1->B->A2 |A1 | false | B and A2 +| A1->B->A2 |B | true | A1 and A2 | +| A1->B->A2 |A2 | true | A1 and B **Document Metadata** From 64a15c55daddd92c26d3e356a75a0f387c86ae82 Mon Sep 17 00:00:00 2001 From: Aaron Selya Date: Wed, 26 Jun 2024 08:55:53 -0400 Subject: [PATCH 29/56] Update proposals/hasCrossSiteAncestor.md Co-authored-by: Rob Wu --- proposals/hasCrossSiteAncestor.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/hasCrossSiteAncestor.md b/proposals/hasCrossSiteAncestor.md index ea539eb5..a6199d4c 100644 --- a/proposals/hasCrossSiteAncestor.md +++ b/proposals/hasCrossSiteAncestor.md @@ -107,7 +107,7 @@ When no value has been provided for `hasCrossSiteAncestor`, if the `domain` asso ### APIs affected by the change and the behavior assoicated with the change: - `cookies.get()`: -If no `hasCrossSieAncestor` value is provided it will be populated using the algorithim described above. If a `hasCrossSiteAncestor` value is provided without a corresponding `topLevelSite` value, an error will be returned. +If no `hasCrossSiteAncestor` value is provided it will be populated using the algorithim described above. If a `hasCrossSiteAncestor` value is provided without a corresponding `topLevelSite` value, an error will be returned. - `cookies.getAll()`: If no value is set for hasCrossSiteAncestor cookies with both true and false values for hasCrossSiteAncestor will be returned. Otherwise, cookies will be returned that match the topLevelSite and the passed value for hasCrossSiteAncestor. From cd75fce226cfa5219e4affd6bf825882da4bb867 Mon Sep 17 00:00:00 2001 From: Aaron Selya Date: Wed, 26 Jun 2024 08:57:10 -0400 Subject: [PATCH 30/56] Update proposals/hasCrossSiteAncestor.md Co-authored-by: Rob Wu --- proposals/hasCrossSiteAncestor.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/proposals/hasCrossSiteAncestor.md b/proposals/hasCrossSiteAncestor.md index a6199d4c..7f6b30c8 100644 --- a/proposals/hasCrossSiteAncestor.md +++ b/proposals/hasCrossSiteAncestor.md @@ -8,7 +8,8 @@ Allow extensions to utilize a hasCrossSiteAncestor boolean value when interactin The cross-site ancestor chain bit is a component of the cookie partition key that is set by the browser when keys are created. If the bit indicates true, it means the cookie has been set in a third-party context. -A third-party context occurs when any parent frame, in the frame tree, is cross-site with the frame or subresource the cookie is being set on. If one site of the frame tree is third-party, then all children frames of that frame are also third-party and have a cross site ancestor. Third-party contexts also occur when the top-level frame makes a third-party subresource request and when a first-party request is redirected to a thrid-party URL (even if it is subsequently redirected back to a first-party request after, that subsequent first-party request is now considered an ABA request). +A third-party context occurs when the subresource the cookie is being set on has a cross-site frame ancestor, opener or redirect entry. +Once a frame is considered to be in a third-party context, all requests within that frame and its child frames are also third-party and have a cross site ancestor. Similarly, once a request redirects to a cross-site URL, it is considered third-party (even if it is subsequently redirected back to a first-party request after, that subsequent first-party request is now considered an ABA request). Note: In the table below, sites A1, A2 and A3 are all first-party to each other. | Site frame tree |Site cookie is set on| hasCrossSiteAncestor value of cookie| Nodes that can't access the cookie| From 5a3d1455ddf26b86739eb6781672ffa496430bdd Mon Sep 17 00:00:00 2001 From: Aaron Selya Date: Thu, 27 Jun 2024 09:14:42 -0400 Subject: [PATCH 31/56] Update hasCrossSiteAncestor.md Removing language for ancestor bit definition that is no longer needed. --- proposals/hasCrossSiteAncestor.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/hasCrossSiteAncestor.md b/proposals/hasCrossSiteAncestor.md index 7f6b30c8..495ff305 100644 --- a/proposals/hasCrossSiteAncestor.md +++ b/proposals/hasCrossSiteAncestor.md @@ -8,7 +8,7 @@ Allow extensions to utilize a hasCrossSiteAncestor boolean value when interactin The cross-site ancestor chain bit is a component of the cookie partition key that is set by the browser when keys are created. If the bit indicates true, it means the cookie has been set in a third-party context. -A third-party context occurs when the subresource the cookie is being set on has a cross-site frame ancestor, opener or redirect entry. +A third-party context occurs when the subresource the cookie is being set on has a cross-site frame ancestor. Once a frame is considered to be in a third-party context, all requests within that frame and its child frames are also third-party and have a cross site ancestor. Similarly, once a request redirects to a cross-site URL, it is considered third-party (even if it is subsequently redirected back to a first-party request after, that subsequent first-party request is now considered an ABA request). Note: In the table below, sites A1, A2 and A3 are all first-party to each other. From 131b6661a13573df511a631b569e266bd48340d4 Mon Sep 17 00:00:00 2001 From: Aaron Selya Date: Fri, 26 Jul 2024 13:19:15 -0400 Subject: [PATCH 32/56] Update hasCrossSiteAncestor.md Update the description of cookies.remove() --- proposals/hasCrossSiteAncestor.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/proposals/hasCrossSiteAncestor.md b/proposals/hasCrossSiteAncestor.md index 495ff305..98e72790 100644 --- a/proposals/hasCrossSiteAncestor.md +++ b/proposals/hasCrossSiteAncestor.md @@ -117,5 +117,4 @@ If no value is set for hasCrossSiteAncestor cookies with both true and false val As described the Abuse Mitigations section, this method will not allow a hasCrossSiteAncestor value of false, if the URL associated with the cookie and the topLevelSite in the partitionKey are not first-party. If this is attempted, an error will be returned. If a `hasCrossSiteAncestor` value is provided without a corresponding `topLevelSite` value, an error will be returned. Additionally, if no `hasCrossSieAncestor` value is provided it will be populated using the algorithim described above. - `cookies.remove()`: -If no `hasCrossSieAncestor` value is provided it will be populated using the algorithim described above when determing the cookie to remove. If a `hasCrossSiteAncestor` value is provided without a corresponding `topLevelSite` value, an error will be returned. - +If no `hasCrossSieAncestor` value is provided it will be populated using the algorithim described above when determing the cookie to remove. If a `hasCrossSiteAncestor` value is provided without a corresponding `topLevelSite` value, an error will be returned. If `topLevelSite` and `hasCrossSiteAncestor` values are provided, they will be used by the method even if the combination of the values would be invalid. From a831db7587d0deaf023b790a1886ee68fbf0bf3d Mon Sep 17 00:00:00 2001 From: Aaron Selya Date: Mon, 29 Jul 2024 09:00:45 -0400 Subject: [PATCH 33/56] Update proposals/hasCrossSiteAncestor.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Heiko Theißen --- proposals/hasCrossSiteAncestor.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/hasCrossSiteAncestor.md b/proposals/hasCrossSiteAncestor.md index 98e72790..96103e38 100644 --- a/proposals/hasCrossSiteAncestor.md +++ b/proposals/hasCrossSiteAncestor.md @@ -117,4 +117,4 @@ If no value is set for hasCrossSiteAncestor cookies with both true and false val As described the Abuse Mitigations section, this method will not allow a hasCrossSiteAncestor value of false, if the URL associated with the cookie and the topLevelSite in the partitionKey are not first-party. If this is attempted, an error will be returned. If a `hasCrossSiteAncestor` value is provided without a corresponding `topLevelSite` value, an error will be returned. Additionally, if no `hasCrossSieAncestor` value is provided it will be populated using the algorithim described above. - `cookies.remove()`: -If no `hasCrossSieAncestor` value is provided it will be populated using the algorithim described above when determing the cookie to remove. If a `hasCrossSiteAncestor` value is provided without a corresponding `topLevelSite` value, an error will be returned. If `topLevelSite` and `hasCrossSiteAncestor` values are provided, they will be used by the method even if the combination of the values would be invalid. +If no `hasCrossSieAncestor` value is provided it will be populated using the algorithm described above when determing the cookie to remove. If a `hasCrossSiteAncestor` value is provided without a corresponding `topLevelSite` value, an error will be returned. If `topLevelSite` and `hasCrossSiteAncestor` values are provided, they will be used by the method even if the combination of the values would be invalid. From 44a8e801c140ec3bcca3e4c17529aa3a4b5508da Mon Sep 17 00:00:00 2001 From: Aaron Selya Date: Thu, 1 Aug 2024 09:28:34 -0400 Subject: [PATCH 34/56] Update hasCrossSiteAncestor.md Add language that explicitly allows for get(), getAll() and remove() to have values that would not be valid for set(). To allow for migration of cookies that are no longer valid at runtime. --- proposals/hasCrossSiteAncestor.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/proposals/hasCrossSiteAncestor.md b/proposals/hasCrossSiteAncestor.md index 96103e38..86581301 100644 --- a/proposals/hasCrossSiteAncestor.md +++ b/proposals/hasCrossSiteAncestor.md @@ -88,6 +88,8 @@ No sensitive data is associated with the cross-site ancestor chain bit. ### Abuse Mitigations A cookie may only have no cross-site ancestor when the topLevelSite in the partitionKey and the URL with which the cookie is associated with are first-party to each other. To prevent the creation of cookies that violate this, the set method will return an error if the URL and the topLevelSite are not first-party for cookies that are set with no-cross site ancestor. +There are situations that can occur (such as an update to the public suffix list) which can change the if the topLevelSite and the URL are first-party to each other. To accomidate this possibility, the value for `hasCrossSiteAncestor` for the get(), getAll() and remove() methods will not be restricted. This will allow for web extensions to migrate or remove cookies that have become invalid after they have been set. + ### Additional Security Considerations None From 04a9fee6eb871eec411f196e81afcf4912b59c8a Mon Sep 17 00:00:00 2001 From: Aaron Selya Date: Mon, 5 Aug 2024 10:24:15 -0400 Subject: [PATCH 35/56] Update proposals/hasCrossSiteAncestor.md Co-authored-by: Rob Wu --- proposals/hasCrossSiteAncestor.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/hasCrossSiteAncestor.md b/proposals/hasCrossSiteAncestor.md index 86581301..4ce60382 100644 --- a/proposals/hasCrossSiteAncestor.md +++ b/proposals/hasCrossSiteAncestor.md @@ -119,4 +119,4 @@ If no value is set for hasCrossSiteAncestor cookies with both true and false val As described the Abuse Mitigations section, this method will not allow a hasCrossSiteAncestor value of false, if the URL associated with the cookie and the topLevelSite in the partitionKey are not first-party. If this is attempted, an error will be returned. If a `hasCrossSiteAncestor` value is provided without a corresponding `topLevelSite` value, an error will be returned. Additionally, if no `hasCrossSieAncestor` value is provided it will be populated using the algorithim described above. - `cookies.remove()`: -If no `hasCrossSieAncestor` value is provided it will be populated using the algorithm described above when determing the cookie to remove. If a `hasCrossSiteAncestor` value is provided without a corresponding `topLevelSite` value, an error will be returned. If `topLevelSite` and `hasCrossSiteAncestor` values are provided, they will be used by the method even if the combination of the values would be invalid. +If no `hasCrossSiteAncestor` value is provided it will be populated using the algorithm described above when determing the cookie to remove. If a `hasCrossSiteAncestor` value is provided without a corresponding `topLevelSite` value, an error will be returned. If `topLevelSite` and `hasCrossSiteAncestor` values are provided, they will be used by the method even if the combination of the values would be invalid. From 3faee04ae758c8d06b3b2b321f49de105da477d5 Mon Sep 17 00:00:00 2001 From: Aaron Selya Date: Mon, 5 Aug 2024 11:17:42 -0400 Subject: [PATCH 36/56] Update proposals/hasCrossSiteAncestor.md Co-authored-by: Rob Wu --- proposals/hasCrossSiteAncestor.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/hasCrossSiteAncestor.md b/proposals/hasCrossSiteAncestor.md index 4ce60382..a4f7cfa2 100644 --- a/proposals/hasCrossSiteAncestor.md +++ b/proposals/hasCrossSiteAncestor.md @@ -116,7 +116,7 @@ If no `hasCrossSiteAncestor` value is provided it will be populated using the al If no value is set for hasCrossSiteAncestor cookies with both true and false values for hasCrossSiteAncestor will be returned. Otherwise, cookies will be returned that match the topLevelSite and the passed value for hasCrossSiteAncestor. - `cookies.set()`: -As described the Abuse Mitigations section, this method will not allow a hasCrossSiteAncestor value of false, if the URL associated with the cookie and the topLevelSite in the partitionKey are not first-party. If this is attempted, an error will be returned. If a `hasCrossSiteAncestor` value is provided without a corresponding `topLevelSite` value, an error will be returned. Additionally, if no `hasCrossSieAncestor` value is provided it will be populated using the algorithim described above. +As described the Abuse Mitigations section, this method will not allow a hasCrossSiteAncestor value of false, if the URL associated with the cookie and the topLevelSite in the partitionKey are not first-party. If this is attempted, an error will be returned. If a `hasCrossSiteAncestor` value is provided without a corresponding `topLevelSite` value, an error will be returned. Additionally, if no `hasCrossSiteAncestor` value is provided it will be populated using the algorithm described above. - `cookies.remove()`: If no `hasCrossSiteAncestor` value is provided it will be populated using the algorithm described above when determing the cookie to remove. If a `hasCrossSiteAncestor` value is provided without a corresponding `topLevelSite` value, an error will be returned. If `topLevelSite` and `hasCrossSiteAncestor` values are provided, they will be used by the method even if the combination of the values would be invalid. From a6bf3979aa858aea6944410305882ea7a5414d48 Mon Sep 17 00:00:00 2001 From: Aaron Selya Date: Mon, 5 Aug 2024 11:19:17 -0400 Subject: [PATCH 37/56] Update proposals/hasCrossSiteAncestor.md Co-authored-by: Rob Wu --- proposals/hasCrossSiteAncestor.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/proposals/hasCrossSiteAncestor.md b/proposals/hasCrossSiteAncestor.md index a4f7cfa2..c9b312dc 100644 --- a/proposals/hasCrossSiteAncestor.md +++ b/proposals/hasCrossSiteAncestor.md @@ -18,8 +18,6 @@ Note: In the table below, sites A1, A2 and A3 are all first-party to each other. | A1->A2 |A2 | false | | A1->A2->A3 |A3 | false | | A1->B |B| true | B| -| A1->B->A2 |A1 | false | B and A2 -| A1->B->A2 |B | true | A1 and A2 | | A1->B->A2 |A2 | true | A1 and B **Document Metadata** From bdf8077e64b2bf9e0cb0612cea9df5bcf0b3330d Mon Sep 17 00:00:00 2001 From: Aaron Selya Date: Tue, 6 Aug 2024 13:46:53 -0400 Subject: [PATCH 38/56] Update hasCrossSiteAncestor.md Add language to privacy to point out the pre-existing risks associated with editing partition keys --- proposals/hasCrossSiteAncestor.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/proposals/hasCrossSiteAncestor.md b/proposals/hasCrossSiteAncestor.md index c9b312dc..fff6ad3b 100644 --- a/proposals/hasCrossSiteAncestor.md +++ b/proposals/hasCrossSiteAncestor.md @@ -76,9 +76,9 @@ No new permissions are required. No new manifest fields are required. ## Security and Privacy -Privacy: The hasCrossSiteAncestor boolean value does not reveal private information. +Privacy: The existing `cookies` API can result in partitioned cookies being associated with a different partition than the original setter of the cookie intended. This risk is not mitigated by this change. -Security: The hasCrossSiteAncestor boolean value does not impact security. +Security: The `hasCrossSiteAncestor` boolean value does not impact security. ### Exposed Sensitive Data No sensitive data is associated with the cross-site ancestor chain bit. From f83b18fc1ef9c19662f0cdce565c76e1a53daa7a Mon Sep 17 00:00:00 2001 From: Aaron Selya Date: Wed, 7 Aug 2024 09:09:56 -0400 Subject: [PATCH 39/56] Update proposals/hasCrossSiteAncestor.md Co-authored-by: Rob Wu --- proposals/hasCrossSiteAncestor.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/hasCrossSiteAncestor.md b/proposals/hasCrossSiteAncestor.md index fff6ad3b..f78f31ad 100644 --- a/proposals/hasCrossSiteAncestor.md +++ b/proposals/hasCrossSiteAncestor.md @@ -111,7 +111,7 @@ When no value has been provided for `hasCrossSiteAncestor`, if the `domain` asso If no `hasCrossSiteAncestor` value is provided it will be populated using the algorithim described above. If a `hasCrossSiteAncestor` value is provided without a corresponding `topLevelSite` value, an error will be returned. - `cookies.getAll()`: -If no value is set for hasCrossSiteAncestor cookies with both true and false values for hasCrossSiteAncestor will be returned. Otherwise, cookies will be returned that match the topLevelSite and the passed value for hasCrossSiteAncestor. +If no value is set for hasCrossSiteAncestor cookies with both true and false values for hasCrossSiteAncestor will be returned. Otherwise, cookies will be returned that match the topLevelSite and the passed value for hasCrossSiteAncestor. When the `partitionKey` property is not specified, only unpartitioned cookies are returned. These cookies always have a `false` value for `hasCrossSiteAncestor`. - `cookies.set()`: As described the Abuse Mitigations section, this method will not allow a hasCrossSiteAncestor value of false, if the URL associated with the cookie and the topLevelSite in the partitionKey are not first-party. If this is attempted, an error will be returned. If a `hasCrossSiteAncestor` value is provided without a corresponding `topLevelSite` value, an error will be returned. Additionally, if no `hasCrossSiteAncestor` value is provided it will be populated using the algorithm described above. From 3a8e2ba906ac2b192f56a33837f4ffc142028e37 Mon Sep 17 00:00:00 2001 From: Aaron Selya Date: Wed, 7 Aug 2024 13:57:36 -0400 Subject: [PATCH 40/56] Update hasCrossSiteAncestor.md --- proposals/hasCrossSiteAncestor.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/proposals/hasCrossSiteAncestor.md b/proposals/hasCrossSiteAncestor.md index f78f31ad..05bfd322 100644 --- a/proposals/hasCrossSiteAncestor.md +++ b/proposals/hasCrossSiteAncestor.md @@ -11,6 +11,8 @@ The cross-site ancestor chain bit is a component of the cookie partition key tha A third-party context occurs when the subresource the cookie is being set on has a cross-site frame ancestor. Once a frame is considered to be in a third-party context, all requests within that frame and its child frames are also third-party and have a cross site ancestor. Similarly, once a request redirects to a cross-site URL, it is considered third-party (even if it is subsequently redirected back to a first-party request after, that subsequent first-party request is now considered an ABA request). +Unpartitioned cookies, which are indicated by a cookie not containing a `partitionKey`, the key not containing a `topLevelSite` or an empty `topLevelSite`, always have a `hasCrossSiteAncestor` value of `false`. Top-level documents may have partitioned cookies (topLevelSite non-empty, i.e. set to the site of the top-level document), but hasCrossSiteAncestor is always false for top-level contexts by [design](https://github.com/explainers-by-googlers/CHIPS-spec/blob/main/draft-cutler-httpbis-partitioned-cookies.md). + Note: In the table below, sites A1, A2 and A3 are all first-party to each other. | Site frame tree |Site cookie is set on| hasCrossSiteAncestor value of cookie| Nodes that can't access the cookie| |---|---|--|--| From 8e05e8d33d42b2cd8c71b5c01a035760124424cc Mon Sep 17 00:00:00 2001 From: Aaron Selya Date: Mon, 12 Aug 2024 11:12:15 -0400 Subject: [PATCH 41/56] Update hasCrossSiteAncestor.md Add description for getPartitionKey() api. --- proposals/hasCrossSiteAncestor.md | 39 ++++++++++++++++++++++++------- 1 file changed, 30 insertions(+), 9 deletions(-) diff --git a/proposals/hasCrossSiteAncestor.md b/proposals/hasCrossSiteAncestor.md index 05bfd322..36564a35 100644 --- a/proposals/hasCrossSiteAncestor.md +++ b/proposals/hasCrossSiteAncestor.md @@ -2,7 +2,7 @@ **Summary** -Allow extensions to utilize a hasCrossSiteAncestor boolean value when interacting with partitioned cookies that include a cross-site ancestor chain bit in their partiton key. +Allow extensions to utilize a `hasCrossSiteAncestor` boolean value when interacting with partitioned cookies that include a cross-site ancestor chain bit in their partiton key. #### Background information: Description of Cross-site Ancestor Chain Bit in partitioned cookies @@ -11,7 +11,7 @@ The cross-site ancestor chain bit is a component of the cookie partition key tha A third-party context occurs when the subresource the cookie is being set on has a cross-site frame ancestor. Once a frame is considered to be in a third-party context, all requests within that frame and its child frames are also third-party and have a cross site ancestor. Similarly, once a request redirects to a cross-site URL, it is considered third-party (even if it is subsequently redirected back to a first-party request after, that subsequent first-party request is now considered an ABA request). -Unpartitioned cookies, which are indicated by a cookie not containing a `partitionKey`, the key not containing a `topLevelSite` or an empty `topLevelSite`, always have a `hasCrossSiteAncestor` value of `false`. Top-level documents may have partitioned cookies (topLevelSite non-empty, i.e. set to the site of the top-level document), but hasCrossSiteAncestor is always false for top-level contexts by [design](https://github.com/explainers-by-googlers/CHIPS-spec/blob/main/draft-cutler-httpbis-partitioned-cookies.md). +Unpartitioned cookies, which are indicated by a cookie not containing a `partitionKey`, the key not containing a `topLevelSite` or an empty `topLevelSite`, always have a `hasCrossSiteAncestor` value of `false`. Top-level documents may have partitioned cookies (topLevelSite non-empty, i.e. set to the site of the top-level document), but `hasCrossSiteAncestor` is always false for top-level contexts by [design](https://github.com/explainers-by-googlers/CHIPS-spec/blob/main/draft-cutler-httpbis-partitioned-cookies.md). Note: In the table below, sites A1, A2 and A3 are all first-party to each other. | Site frame tree |Site cookie is set on| hasCrossSiteAncestor value of cookie| Nodes that can't access the cookie| @@ -38,7 +38,7 @@ Note: In the table below, sites A1, A2 and A3 are all first-party to each other. https://github.com/privacycg/CHIPS/issues/40 is adding a cross-site ancestor bit value to partitioned cookies. ### Objective -To interact with partitioned cookies containing a cross-site ancestor chain bit correctly, extensions will need to have the ability to to specify a value (hasCrossSiteAncestor) that corresponds to the value of the cross-site ancestor chain bit in partitioned cookies. +To interact with partitioned cookies containing a cross-site ancestor chain bit correctly, extensions will need to have the ability to to specify a value (`hasCrossSiteAncestor`) that corresponds to the value of the cross-site ancestor chain bit in partitioned cookies. #### Use Cases @@ -48,7 +48,7 @@ Let's say a cookie manager extension (with host permissions) is used by users to #### Password Manager: Let’s say a password manager extension (with host permissions) is used by users to access their login information by setting a cookie that stores their usernames and passwords in an encrypted partitioned cookie. To protect their users against clickjacking, the extension adds a setting that prevents their cookies from being accessed, by default, in embeds that have cross site ancestors without triggering a user prompt. If permission is given through the prompt, the extension sets a cookie with a `hasCrossSiteAncestor` value of true. Upon subsequent visits, the extension checks the cookie store for the presence of a cookie with a `hasCrossSiteAncestor` value of true to determine whether the prompt needs to be rendered. -To allow for this protection and UX flow to work, the extension would need to have the ability to set/get cookies with specific hasCrossSiteAncestor values. +To allow for this protection and UX flow to work, the extension would need to have the ability to set/get cookies with specific `hasCrossSiteAncestor` values. ### Known Consumers All extensions that access and/or modify cookies with awareness of partitioned cookies, through the use of the `partitionKey` property in the `cookies` extension API. @@ -70,7 +70,28 @@ Adds a new optional boolean property `hasCrossSiteAncestor` to the `partitionKey } } ``` +#### Cookies.GetPartitionKey() +Adds a new API, `cookies.getPartitionKey()` which retrives a valid `partitionKey` for the indicated frame. +This is an asyncronus function that returns a promise. + +##### Syntax +``` +let key = cookies.getPartitionKey( + details // object +) +``` +##### Parameters +`details` object. Information about the frame to retrive information about. +> `tabId` +integer. The ID of the tab in which the frame is. + +> `frameId` +integer. The ID of the frame in the given tab. + +##### Return value +A Promise that will be fulfilled with a `Cookie.partitionKey` object that matches the properties given in the details parameter and contains the `hasCrossSiteAncestor` value associated with the current cross-site status of the frame. + ### New Permissions No new permissions are required. @@ -86,7 +107,7 @@ Security: The `hasCrossSiteAncestor` boolean value does not impact security. No sensitive data is associated with the cross-site ancestor chain bit. ### Abuse Mitigations -A cookie may only have no cross-site ancestor when the topLevelSite in the partitionKey and the URL with which the cookie is associated with are first-party to each other. To prevent the creation of cookies that violate this, the set method will return an error if the URL and the topLevelSite are not first-party for cookies that are set with no-cross site ancestor. +A cookie may only have no cross-site ancestor when the `topLevelSite` in the `partitionKey` and the URL with which the cookie is associated with are first-party to each other. To prevent the creation of cookies that violate this, the set method will return an error if the URL and the `topLevelSite` are not first-party for cookies that are set with no-cross site ancestor. There are situations that can occur (such as an update to the public suffix list) which can change the if the topLevelSite and the URL are first-party to each other. To accomidate this possibility, the value for `hasCrossSiteAncestor` for the get(), getAll() and remove() methods will not be restricted. This will allow for web extensions to migrate or remove cookies that have become invalid after they have been set. @@ -94,13 +115,13 @@ There are situations that can occur (such as an update to the public suffix list None ## Alternatives -The hasCrossSiteAncestor value could be a value that is not exposed to extensions at all. Browsers that choose to include a cross-site ancestor chain bit in their partitioned cookies, could calculate the expected value of the cross-site ancestor chain bit from the URL associated with the cookie and the topLevelSite in the partitionKey. However, this could cause extensions to be unable to correctly set or get cookies (in an A1->B->A2 situation) as the browser may calculate the incorrect value for hasCrossSiteAncestor since it would not be explicitly provided by the extension. +The `hasCrossSiteAncestor` value could be a value that is not exposed to extensions at all. Browsers that choose to include a cross-site ancestor chain bit in their partitioned cookies, could calculate the expected value of the cross-site ancestor chain bit from the URL associated with the cookie and the `topLevelSite` in the `partitionKey`. However, this could cause extensions to be unable to correctly set or get cookies (in an A1->B->A2 situation) as the browser may calculate the incorrect value for `hasCrossSiteAncestor` since it would not be explicitly provided by the extension. ### Existing Workarounds To access cookies with the same `topLevelSite` but different `hasCrossSiteAncestor` values (A1->B->A2 context), developers can remove the `Partitioned` attribute from the cookie and use the Storage Access API in the context of web pages. ### Open Web API -The APIs being expanded to include the hasCrossSiteAncestor boolean are specific to extensions. +The APIs being expanded to include the `hasCrossSiteAncestor` boolean are specific to extensions. ## Implementation Notes @@ -113,10 +134,10 @@ When no value has been provided for `hasCrossSiteAncestor`, if the `domain` asso If no `hasCrossSiteAncestor` value is provided it will be populated using the algorithim described above. If a `hasCrossSiteAncestor` value is provided without a corresponding `topLevelSite` value, an error will be returned. - `cookies.getAll()`: -If no value is set for hasCrossSiteAncestor cookies with both true and false values for hasCrossSiteAncestor will be returned. Otherwise, cookies will be returned that match the topLevelSite and the passed value for hasCrossSiteAncestor. When the `partitionKey` property is not specified, only unpartitioned cookies are returned. These cookies always have a `false` value for `hasCrossSiteAncestor`. +If no value is set for hasCrossSiteAncestor cookies with both true and false values for `hasCrossSiteAncestor` will be returned. Otherwise, cookies will be returned that match the `topLevelSite` and the passed value for `hasCrossSiteAncestor`. When the `partitionKey` property is not specified, only unpartitioned cookies are returned. These cookies always have a `false` value for `hasCrossSiteAncestor`. - `cookies.set()`: -As described the Abuse Mitigations section, this method will not allow a hasCrossSiteAncestor value of false, if the URL associated with the cookie and the topLevelSite in the partitionKey are not first-party. If this is attempted, an error will be returned. If a `hasCrossSiteAncestor` value is provided without a corresponding `topLevelSite` value, an error will be returned. Additionally, if no `hasCrossSiteAncestor` value is provided it will be populated using the algorithm described above. +As described the Abuse Mitigations section, this method will not allow a `hasCrossSiteAncestor` value of false, if the URL associated with the cookie and the `topLevelSite` in the `partitionKey` are not first-party. If this is attempted, an error will be returned. If a `hasCrossSiteAncestor` value is provided without a corresponding `topLevelSite` value, an error will be returned. Additionally, if no `hasCrossSiteAncestor` value is provided it will be populated using the algorithm described above. - `cookies.remove()`: If no `hasCrossSiteAncestor` value is provided it will be populated using the algorithm described above when determing the cookie to remove. If a `hasCrossSiteAncestor` value is provided without a corresponding `topLevelSite` value, an error will be returned. If `topLevelSite` and `hasCrossSiteAncestor` values are provided, they will be used by the method even if the combination of the values would be invalid. From 0d83efa68ad255fef0c9d3ee86b2ff5d25ec0417 Mon Sep 17 00:00:00 2001 From: Aaron Selya Date: Tue, 13 Aug 2024 16:33:04 -0400 Subject: [PATCH 42/56] Update hasCrossSiteAncestor.md Updating language for getAll() to align it with the other APIs, where a partitionKey with no topLevelSite and a value for hasCrossSiteAncestor returns an error. --- proposals/hasCrossSiteAncestor.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/hasCrossSiteAncestor.md b/proposals/hasCrossSiteAncestor.md index 36564a35..dbb1ab4f 100644 --- a/proposals/hasCrossSiteAncestor.md +++ b/proposals/hasCrossSiteAncestor.md @@ -134,7 +134,7 @@ When no value has been provided for `hasCrossSiteAncestor`, if the `domain` asso If no `hasCrossSiteAncestor` value is provided it will be populated using the algorithim described above. If a `hasCrossSiteAncestor` value is provided without a corresponding `topLevelSite` value, an error will be returned. - `cookies.getAll()`: -If no value is set for hasCrossSiteAncestor cookies with both true and false values for `hasCrossSiteAncestor` will be returned. Otherwise, cookies will be returned that match the `topLevelSite` and the passed value for `hasCrossSiteAncestor`. When the `partitionKey` property is not specified, only unpartitioned cookies are returned. These cookies always have a `false` value for `hasCrossSiteAncestor`. +If no value is set for hasCrossSiteAncestor cookies with both true and false values for `hasCrossSiteAncestor` will be returned. Otherwise, cookies will be returned that match the `topLevelSite` and the passed value for `hasCrossSiteAncestor`. When the `partitionKey` property is not specified, only unpartitioned cookies are returned. These cookies always have a `false` value for `hasCrossSiteAncestor`. If a `hasCrossSiteAncestor` value is provided without a corresponding `topLevelSite` value, an error will be returned. - `cookies.set()`: As described the Abuse Mitigations section, this method will not allow a `hasCrossSiteAncestor` value of false, if the URL associated with the cookie and the `topLevelSite` in the `partitionKey` are not first-party. If this is attempted, an error will be returned. If a `hasCrossSiteAncestor` value is provided without a corresponding `topLevelSite` value, an error will be returned. Additionally, if no `hasCrossSiteAncestor` value is provided it will be populated using the algorithm described above. From 8328697a6af851b1037f1c8bfc538a42ec3b9f0a Mon Sep 17 00:00:00 2001 From: Aaron Selya Date: Fri, 16 Aug 2024 10:55:33 -0400 Subject: [PATCH 43/56] Update hasCrossSiteAncestor.md Update language to specify that `{hasCrossSiteAncestor: false}` and `{hasCrossSiteAncestor:true}` are invalid keys. --- proposals/hasCrossSiteAncestor.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/proposals/hasCrossSiteAncestor.md b/proposals/hasCrossSiteAncestor.md index dbb1ab4f..1d677d9e 100644 --- a/proposals/hasCrossSiteAncestor.md +++ b/proposals/hasCrossSiteAncestor.md @@ -11,7 +11,11 @@ The cross-site ancestor chain bit is a component of the cookie partition key tha A third-party context occurs when the subresource the cookie is being set on has a cross-site frame ancestor. Once a frame is considered to be in a third-party context, all requests within that frame and its child frames are also third-party and have a cross site ancestor. Similarly, once a request redirects to a cross-site URL, it is considered third-party (even if it is subsequently redirected back to a first-party request after, that subsequent first-party request is now considered an ABA request). -Unpartitioned cookies, which are indicated by a cookie not containing a `partitionKey`, the key not containing a `topLevelSite` or an empty `topLevelSite`, always have a `hasCrossSiteAncestor` value of `false`. Top-level documents may have partitioned cookies (topLevelSite non-empty, i.e. set to the site of the top-level document), but `hasCrossSiteAncestor` is always false for top-level contexts by [design](https://github.com/explainers-by-googlers/CHIPS-spec/blob/main/draft-cutler-httpbis-partitioned-cookies.md). +Unpartitioned cookies, indicated by a cookie not containing a `partitionKey` or an empty `topLevelSite`, always have a `hasCrossSiteAncestor` value of `false`. An unpartitioned cookie can also be indicated with an empty `partitionKey` which will not have a value for `hasCrossSiteAncestor`. + +A `hasCrossSiteAncestor` value can only be validated if the `partitionKey` has a `topLevelSite`. Any `partitionKey` with no `topLevelSite` and a value for `hasCrossSiteAncestor` is considered invalid and will result in an error being thrown by the API. + +Top-level documents may have partitioned cookies (topLevelSite non-empty, i.e. set to the site of the top-level document), but `hasCrossSiteAncestor` is always false for top-level contexts by [design](https://github.com/explainers-by-googlers/CHIPS-spec/blob/main/draft-cutler-httpbis-partitioned-cookies.md). Note: In the table below, sites A1, A2 and A3 are all first-party to each other. | Site frame tree |Site cookie is set on| hasCrossSiteAncestor value of cookie| Nodes that can't access the cookie| From 9edb236a57eeafca492e32641cbb0f973a73b59a Mon Sep 17 00:00:00 2001 From: Aaron Selya Date: Mon, 19 Aug 2024 10:22:08 -0400 Subject: [PATCH 44/56] Update hasCrossSiteAncestor.md Add table containing valid partitionKeys. Update language in the background section to be more consistent. --- proposals/hasCrossSiteAncestor.md | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/proposals/hasCrossSiteAncestor.md b/proposals/hasCrossSiteAncestor.md index 1d677d9e..9d0cd963 100644 --- a/proposals/hasCrossSiteAncestor.md +++ b/proposals/hasCrossSiteAncestor.md @@ -9,13 +9,20 @@ Allow extensions to utilize a `hasCrossSiteAncestor` boolean value when interact The cross-site ancestor chain bit is a component of the cookie partition key that is set by the browser when keys are created. If the bit indicates true, it means the cookie has been set in a third-party context. A third-party context occurs when the subresource the cookie is being set on has a cross-site frame ancestor. -Once a frame is considered to be in a third-party context, all requests within that frame and its child frames are also third-party and have a cross site ancestor. Similarly, once a request redirects to a cross-site URL, it is considered third-party (even if it is subsequently redirected back to a first-party request after, that subsequent first-party request is now considered an ABA request). +Once a frame is considered to be in a third-party context, all requests within that frame and its child frames are also third-party and have a cross site ancestor. Similarly, once a request redirects to a cross-site URL, it is considered third-party (even if it is subsequently redirected back to a first-party request after, that subsequent first-party request is now considered an ABA request), unless the request causes a navigation of the top-level site. Since top-level documents may have partitioned cookies (topLevelSite non-empty, i.e. set to the site of the top-level document), but `hasCrossSiteAncestor` is always false for top-level contexts by [design](https://github.com/explainers-by-googlers/CHIPS-spec/blob/main/draft-cutler-httpbis-partitioned-cookies.md). -Unpartitioned cookies, indicated by a cookie not containing a `partitionKey` or an empty `topLevelSite`, always have a `hasCrossSiteAncestor` value of `false`. An unpartitioned cookie can also be indicated with an empty `partitionKey` which will not have a value for `hasCrossSiteAncestor`. +Unpartitioned cookies, indicated by a cookie not containing a `partitionKey` or an empty `topLevelSite`, always have a `hasCrossSiteAncestor` value of `false`. An unpartitioned cookie can also be indicated with an empty `partitionKey` which will not have a value for `hasCrossSiteAncestor` or `topLevelSite`. A `hasCrossSiteAncestor` value can only be validated if the `partitionKey` has a `topLevelSite`. Any `partitionKey` with no `topLevelSite` and a value for `hasCrossSiteAncestor` is considered invalid and will result in an error being thrown by the API. -Top-level documents may have partitioned cookies (topLevelSite non-empty, i.e. set to the site of the top-level document), but `hasCrossSiteAncestor` is always false for top-level contexts by [design](https://github.com/explainers-by-googlers/CHIPS-spec/blob/main/draft-cutler-httpbis-partitioned-cookies.md). +| Valid PartitionKeys | Description | +|---|---| +|`{topLevelSite : "https://example.com", hasCrossSiteAncestor: false}`| Partitioned cookie, set in a same-site context| +|`{topLevelSite : "https://example.com", hasCrossSiteAncestor: true}`| Partitioned cookie, set in a cross-site context| +|`{topLevelSite : "https://example.com"}`| Partitioned cookie, `hasCrossSiteAncestor` will be calculated by the browser| +|`{topLevelSite : "", hasCrossSiteAncestor: false}`| Unpartitioned cookie| +|`{topLevelSite : ""}`| Unpartitioned cookie, `hasCrossSiteAncestor` will default to false| +|`{}`| Unpartitioned cookie, when passed to `cookies.GetAll()` will return unpartitioned and partitioned cookies| Note: In the table below, sites A1, A2 and A3 are all first-party to each other. | Site frame tree |Site cookie is set on| hasCrossSiteAncestor value of cookie| Nodes that can't access the cookie| From 13ca34f6777b177d999492344269560d389c6f44 Mon Sep 17 00:00:00 2001 From: Aaron Selya Date: Tue, 20 Aug 2024 11:26:09 -0400 Subject: [PATCH 45/56] Update hasCrossSiteAncestor.md Clarify language surrounding the empty partitionKey --- proposals/hasCrossSiteAncestor.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/proposals/hasCrossSiteAncestor.md b/proposals/hasCrossSiteAncestor.md index 9d0cd963..5d629e37 100644 --- a/proposals/hasCrossSiteAncestor.md +++ b/proposals/hasCrossSiteAncestor.md @@ -22,7 +22,6 @@ A `hasCrossSiteAncestor` value can only be validated if the `partitionKey` has a |`{topLevelSite : "https://example.com"}`| Partitioned cookie, `hasCrossSiteAncestor` will be calculated by the browser| |`{topLevelSite : "", hasCrossSiteAncestor: false}`| Unpartitioned cookie| |`{topLevelSite : ""}`| Unpartitioned cookie, `hasCrossSiteAncestor` will default to false| -|`{}`| Unpartitioned cookie, when passed to `cookies.GetAll()` will return unpartitioned and partitioned cookies| Note: In the table below, sites A1, A2 and A3 are all first-party to each other. | Site frame tree |Site cookie is set on| hasCrossSiteAncestor value of cookie| Nodes that can't access the cookie| @@ -136,9 +135,12 @@ The APIs being expanded to include the `hasCrossSiteAncestor` boolean are specif ## Implementation Notes -### Populating hasCrossSiteAncestor when not provided +### Populating hasCrossSiteAncestor when not provided: When no value has been provided for `hasCrossSiteAncestor`, if the `domain` associated with the `cookie` is same-site to the value of the `topLevelSite`, the `hasCrossSiteAncestor` value will be set to false otherwise the value will be set to true. +### Empty PartitionKey: `{}` +In `cookies.getAll()` an empty key `partitionKey = {}` will return both unpartitioned and partitioned cookies and `cookies.remove()` will remove both unpartitioned and partitioned cookies. For `cookies.get()` and `cookies.set()` an empty partitionKey will result in an error. + ### APIs affected by the change and the behavior assoicated with the change: - `cookies.get()`: From d76d4a1ce8c7ab8a521e108e60cae81a95c07f52 Mon Sep 17 00:00:00 2001 From: Aaron Selya Date: Wed, 21 Aug 2024 10:24:13 -0400 Subject: [PATCH 46/56] Update proposals/hasCrossSiteAncestor.md Co-authored-by: bvandersloot-mozilla <90582190+bvandersloot-mozilla@users.noreply.github.com> --- proposals/hasCrossSiteAncestor.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/hasCrossSiteAncestor.md b/proposals/hasCrossSiteAncestor.md index 5d629e37..ad89c977 100644 --- a/proposals/hasCrossSiteAncestor.md +++ b/proposals/hasCrossSiteAncestor.md @@ -150,7 +150,7 @@ If no `hasCrossSiteAncestor` value is provided it will be populated using the al If no value is set for hasCrossSiteAncestor cookies with both true and false values for `hasCrossSiteAncestor` will be returned. Otherwise, cookies will be returned that match the `topLevelSite` and the passed value for `hasCrossSiteAncestor`. When the `partitionKey` property is not specified, only unpartitioned cookies are returned. These cookies always have a `false` value for `hasCrossSiteAncestor`. If a `hasCrossSiteAncestor` value is provided without a corresponding `topLevelSite` value, an error will be returned. - `cookies.set()`: -As described the Abuse Mitigations section, this method will not allow a `hasCrossSiteAncestor` value of false, if the URL associated with the cookie and the `topLevelSite` in the `partitionKey` are not first-party. If this is attempted, an error will be returned. If a `hasCrossSiteAncestor` value is provided without a corresponding `topLevelSite` value, an error will be returned. Additionally, if no `hasCrossSiteAncestor` value is provided it will be populated using the algorithm described above. +As described the Abuse Mitigations section, this method will not allow a `hasCrossSiteAncestor` value of false if the URL associated with the cookie and the `topLevelSite` in the `partitionKey` are not first-party. If this is attempted, an error will be returned. If a `hasCrossSiteAncestor` value is provided without a corresponding `topLevelSite` value, an error will be returned. Additionally, if no `hasCrossSiteAncestor` value is provided it will be populated using the algorithm described above. - `cookies.remove()`: If no `hasCrossSiteAncestor` value is provided it will be populated using the algorithm described above when determing the cookie to remove. If a `hasCrossSiteAncestor` value is provided without a corresponding `topLevelSite` value, an error will be returned. If `topLevelSite` and `hasCrossSiteAncestor` values are provided, they will be used by the method even if the combination of the values would be invalid. From 95f4753faae841286e738f13037965b2df21badc Mon Sep 17 00:00:00 2001 From: Aaron Selya Date: Wed, 21 Aug 2024 13:13:48 -0400 Subject: [PATCH 47/56] Update hasCrossSiteAncestor.md Update language to specify the domain of the cookie's url --- proposals/hasCrossSiteAncestor.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/hasCrossSiteAncestor.md b/proposals/hasCrossSiteAncestor.md index ad89c977..99551c7c 100644 --- a/proposals/hasCrossSiteAncestor.md +++ b/proposals/hasCrossSiteAncestor.md @@ -136,7 +136,7 @@ The APIs being expanded to include the `hasCrossSiteAncestor` boolean are specif ## Implementation Notes ### Populating hasCrossSiteAncestor when not provided: -When no value has been provided for `hasCrossSiteAncestor`, if the `domain` associated with the `cookie` is same-site to the value of the `topLevelSite`, the `hasCrossSiteAncestor` value will be set to false otherwise the value will be set to true. +When no value has been provided for `hasCrossSiteAncestor`, if the `domain` of the cookie's `url` is same-site to the value of the `topLevelSite`, the `hasCrossSiteAncestor` value will be set to false otherwise the value will be set to true. ### Empty PartitionKey: `{}` In `cookies.getAll()` an empty key `partitionKey = {}` will return both unpartitioned and partitioned cookies and `cookies.remove()` will remove both unpartitioned and partitioned cookies. For `cookies.get()` and `cookies.set()` an empty partitionKey will result in an error. From 0447b923a26c2f8849de45e29045cd3377483f9b Mon Sep 17 00:00:00 2001 From: Aaron Selya Date: Wed, 21 Aug 2024 15:59:18 -0400 Subject: [PATCH 48/56] Update hasCrossSiteAncestor.md Return {} to the table of valid partition keys --- proposals/hasCrossSiteAncestor.md | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/proposals/hasCrossSiteAncestor.md b/proposals/hasCrossSiteAncestor.md index 99551c7c..687a8ad6 100644 --- a/proposals/hasCrossSiteAncestor.md +++ b/proposals/hasCrossSiteAncestor.md @@ -17,11 +17,12 @@ A `hasCrossSiteAncestor` value can only be validated if the `partitionKey` has a | Valid PartitionKeys | Description | |---|---| -|`{topLevelSite : "https://example.com", hasCrossSiteAncestor: false}`| Partitioned cookie, set in a same-site context| -|`{topLevelSite : "https://example.com", hasCrossSiteAncestor: true}`| Partitioned cookie, set in a cross-site context| -|`{topLevelSite : "https://example.com"}`| Partitioned cookie, `hasCrossSiteAncestor` will be calculated by the browser| -|`{topLevelSite : "", hasCrossSiteAncestor: false}`| Unpartitioned cookie| -|`{topLevelSite : ""}`| Unpartitioned cookie, `hasCrossSiteAncestor` will default to false| +|`{topLevelSite : "https://example.com", hasCrossSiteAncestor: false}`| Partitioned cookie, set in a same-site context.| +|`{topLevelSite : "https://example.com", hasCrossSiteAncestor: true}`| Partitioned cookie, set in a cross-site context.| +|`{topLevelSite : "https://example.com"}`| Partitioned cookie, `hasCrossSiteAncestor` will be calculated by the browser.| +|`{topLevelSite : "", hasCrossSiteAncestor: false}`| Unpartitioned cookie.| +|`{topLevelSite : ""}`| Unpartitioned cookie, `hasCrossSiteAncestor` will default to false.| +| `{}`| Unpartitioned cookie, `hasCrossSiteAncestor` will default to false. Except in `cookies.getAll()` where will result in both partitioned and unpartitioned cookies being returned.| Note: In the table below, sites A1, A2 and A3 are all first-party to each other. | Site frame tree |Site cookie is set on| hasCrossSiteAncestor value of cookie| Nodes that can't access the cookie| @@ -136,10 +137,7 @@ The APIs being expanded to include the `hasCrossSiteAncestor` boolean are specif ## Implementation Notes ### Populating hasCrossSiteAncestor when not provided: -When no value has been provided for `hasCrossSiteAncestor`, if the `domain` of the cookie's `url` is same-site to the value of the `topLevelSite`, the `hasCrossSiteAncestor` value will be set to false otherwise the value will be set to true. - -### Empty PartitionKey: `{}` -In `cookies.getAll()` an empty key `partitionKey = {}` will return both unpartitioned and partitioned cookies and `cookies.remove()` will remove both unpartitioned and partitioned cookies. For `cookies.get()` and `cookies.set()` an empty partitionKey will result in an error. +When no value has been provided for `hasCrossSiteAncestor`, if the `domain` of the cookie's `url` is same-site to the value of the `topLevelSite`, the `hasCrossSiteAncestor` value will be set to false otherwise the value will be set to true. ### APIs affected by the change and the behavior assoicated with the change: From ac347847a0d0149facf5086dc14888142e4a4d90 Mon Sep 17 00:00:00 2001 From: Aaron Selya Date: Thu, 22 Aug 2024 10:09:34 -0400 Subject: [PATCH 49/56] Update proposals/hasCrossSiteAncestor.md Co-authored-by: Rob Wu --- proposals/hasCrossSiteAncestor.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/hasCrossSiteAncestor.md b/proposals/hasCrossSiteAncestor.md index 687a8ad6..f22ffa36 100644 --- a/proposals/hasCrossSiteAncestor.md +++ b/proposals/hasCrossSiteAncestor.md @@ -83,7 +83,7 @@ Adds a new optional boolean property `hasCrossSiteAncestor` to the `partitionKey ``` #### Cookies.GetPartitionKey() Adds a new API, `cookies.getPartitionKey()` which retrives a valid `partitionKey` for the indicated frame. - +This is an asynchronous function that returns a promise. This is an asyncronus function that returns a promise. ##### Syntax From f21810ec915d66293ce6270960efc41633a14692 Mon Sep 17 00:00:00 2001 From: Aaron Selya Date: Thu, 22 Aug 2024 10:12:10 -0400 Subject: [PATCH 50/56] Update hasCrossSiteAncestor.md --- proposals/hasCrossSiteAncestor.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/proposals/hasCrossSiteAncestor.md b/proposals/hasCrossSiteAncestor.md index f22ffa36..7c411149 100644 --- a/proposals/hasCrossSiteAncestor.md +++ b/proposals/hasCrossSiteAncestor.md @@ -82,9 +82,8 @@ Adds a new optional boolean property `hasCrossSiteAncestor` to the `partitionKey } ``` #### Cookies.GetPartitionKey() -Adds a new API, `cookies.getPartitionKey()` which retrives a valid `partitionKey` for the indicated frame. +Adds a new API, `cookies.getPartitionKey()` which retrieves a valid `partitionKey` for the indicated frame. This is an asynchronous function that returns a promise. -This is an asyncronus function that returns a promise. ##### Syntax ``` @@ -93,7 +92,7 @@ let key = cookies.getPartitionKey( ) ``` ##### Parameters -`details` object. Information about the frame to retrive information about. +`details` object. Information about the frame to retrieve information about. > `tabId` integer. The ID of the tab in which the frame is. @@ -151,4 +150,4 @@ If no value is set for hasCrossSiteAncestor cookies with both true and false val As described the Abuse Mitigations section, this method will not allow a `hasCrossSiteAncestor` value of false if the URL associated with the cookie and the `topLevelSite` in the `partitionKey` are not first-party. If this is attempted, an error will be returned. If a `hasCrossSiteAncestor` value is provided without a corresponding `topLevelSite` value, an error will be returned. Additionally, if no `hasCrossSiteAncestor` value is provided it will be populated using the algorithm described above. - `cookies.remove()`: -If no `hasCrossSiteAncestor` value is provided it will be populated using the algorithm described above when determing the cookie to remove. If a `hasCrossSiteAncestor` value is provided without a corresponding `topLevelSite` value, an error will be returned. If `topLevelSite` and `hasCrossSiteAncestor` values are provided, they will be used by the method even if the combination of the values would be invalid. +If no `hasCrossSiteAncestor` value is provided it will be populated using the algorithm described above when determing the cookie to remove. If a `hasCrossSiteAncestor` value is provided without a corresponding `topLevelSite` value, an error will be urned. If `topLevelSite` and `hasCrossSiteAncestor` values are provided, they will be used by the method even if the combination of the values would be invalid. From 589dab845c084b4b9019cf606cde70296fced850 Mon Sep 17 00:00:00 2001 From: Aaron Selya Date: Thu, 22 Aug 2024 10:13:02 -0400 Subject: [PATCH 51/56] Update proposals/hasCrossSiteAncestor.md Co-authored-by: Rob Wu --- proposals/hasCrossSiteAncestor.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/hasCrossSiteAncestor.md b/proposals/hasCrossSiteAncestor.md index 7c411149..0304238e 100644 --- a/proposals/hasCrossSiteAncestor.md +++ b/proposals/hasCrossSiteAncestor.md @@ -87,7 +87,7 @@ This is an asynchronous function that returns a promise. ##### Syntax ``` -let key = cookies.getPartitionKey( +let key = await browser.cookies.getPartitionKey( details // object ) ``` From 39aefc96808cca84f90655111cddfd3916d2a05e Mon Sep 17 00:00:00 2001 From: Aaron Selya Date: Thu, 22 Aug 2024 10:33:38 -0400 Subject: [PATCH 52/56] Update hasCrossSiteAncestor.md Add table describing inputs for getPartitionKey() --- proposals/hasCrossSiteAncestor.md | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/proposals/hasCrossSiteAncestor.md b/proposals/hasCrossSiteAncestor.md index 0304238e..a60523bd 100644 --- a/proposals/hasCrossSiteAncestor.md +++ b/proposals/hasCrossSiteAncestor.md @@ -93,12 +93,22 @@ let key = await browser.cookies.getPartitionKey( ``` ##### Parameters `details` object. Information about the frame to retrieve information about. -> `tabId` +> `tabId` optional integer. The ID of the tab in which the frame is. -> `frameId` +> `frameId` optional integer. The ID of the frame in the given tab. +> `documentId` optional +string. A UUID of the document. + +| Required Combinations | Notes | +|---|---| +|frameId | frameId must be a non-zero value| +|tabId + frameId |frameId can be 0| +|tabId | will use the top-level frame (frameId 0)| +|documentId| tabId/frameId are not required but permitted| + ##### Return value A Promise that will be fulfilled with a `Cookie.partitionKey` object that matches the properties given in the details parameter and contains the `hasCrossSiteAncestor` value associated with the current cross-site status of the frame. From 7d42807ac65233909e6ee2e3bcb4cb98fd8f113e Mon Sep 17 00:00:00 2001 From: Aaron Selya Date: Wed, 11 Sep 2024 15:50:57 -0400 Subject: [PATCH 53/56] Update proposals/hasCrossSiteAncestor.md Co-authored-by: Rob Wu --- proposals/hasCrossSiteAncestor.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/hasCrossSiteAncestor.md b/proposals/hasCrossSiteAncestor.md index a60523bd..f1eb6f08 100644 --- a/proposals/hasCrossSiteAncestor.md +++ b/proposals/hasCrossSiteAncestor.md @@ -39,7 +39,7 @@ Note: In the table below, sites A1, A2 and A3 are all first-party to each other. **Sponsoring Browser:** Chrome -**Contributors:** [DCtheTall](https://github.com/Dcthetall) +**Contributors:** [DCtheTall](https://github.com/DCtheTall), [Rob--W](https://github.com/Rob--W) **Created:** 2024-04-01 From 0aed6484bb5fc35521c950640f1a71c6067d4ad8 Mon Sep 17 00:00:00 2001 From: Aaron Selya Date: Wed, 11 Sep 2024 15:51:10 -0400 Subject: [PATCH 54/56] Update proposals/hasCrossSiteAncestor.md Co-authored-by: Rob Wu --- proposals/hasCrossSiteAncestor.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/hasCrossSiteAncestor.md b/proposals/hasCrossSiteAncestor.md index f1eb6f08..eda1dd43 100644 --- a/proposals/hasCrossSiteAncestor.md +++ b/proposals/hasCrossSiteAncestor.md @@ -160,4 +160,4 @@ If no value is set for hasCrossSiteAncestor cookies with both true and false val As described the Abuse Mitigations section, this method will not allow a `hasCrossSiteAncestor` value of false if the URL associated with the cookie and the `topLevelSite` in the `partitionKey` are not first-party. If this is attempted, an error will be returned. If a `hasCrossSiteAncestor` value is provided without a corresponding `topLevelSite` value, an error will be returned. Additionally, if no `hasCrossSiteAncestor` value is provided it will be populated using the algorithm described above. - `cookies.remove()`: -If no `hasCrossSiteAncestor` value is provided it will be populated using the algorithm described above when determing the cookie to remove. If a `hasCrossSiteAncestor` value is provided without a corresponding `topLevelSite` value, an error will be urned. If `topLevelSite` and `hasCrossSiteAncestor` values are provided, they will be used by the method even if the combination of the values would be invalid. +If no `hasCrossSiteAncestor` value is provided it will be populated using the algorithm described above when determing the cookie to remove. If a `hasCrossSiteAncestor` value is provided without a corresponding `topLevelSite` value, an error will be returned. If `topLevelSite` and `hasCrossSiteAncestor` values are provided, they will be used by the method even if the combination of the values would be invalid. From cfe1825dc18f4ad6638e5c5eb4a56383ba3c334f Mon Sep 17 00:00:00 2001 From: Aaron Selya Date: Wed, 11 Sep 2024 15:52:15 -0400 Subject: [PATCH 55/56] Update proposals/hasCrossSiteAncestor.md Co-authored-by: Rob Wu --- proposals/hasCrossSiteAncestor.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/hasCrossSiteAncestor.md b/proposals/hasCrossSiteAncestor.md index eda1dd43..e5c78252 100644 --- a/proposals/hasCrossSiteAncestor.md +++ b/proposals/hasCrossSiteAncestor.md @@ -81,7 +81,7 @@ Adds a new optional boolean property `hasCrossSiteAncestor` to the `partitionKey } } ``` -#### Cookies.GetPartitionKey() +#### Cookies.getPartitionKey() Adds a new API, `cookies.getPartitionKey()` which retrieves a valid `partitionKey` for the indicated frame. This is an asynchronous function that returns a promise. From 92b747da254a2417f8882950e7806df454a79da4 Mon Sep 17 00:00:00 2001 From: Aaron Selya Date: Thu, 12 Sep 2024 08:42:09 -0400 Subject: [PATCH 56/56] Update hasCrossSiteAncestor.md describe error conditions of new api --- proposals/hasCrossSiteAncestor.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/proposals/hasCrossSiteAncestor.md b/proposals/hasCrossSiteAncestor.md index e5c78252..10246b92 100644 --- a/proposals/hasCrossSiteAncestor.md +++ b/proposals/hasCrossSiteAncestor.md @@ -95,10 +95,10 @@ let key = await browser.cookies.getPartitionKey( `details` object. Information about the frame to retrieve information about. > `tabId` optional integer. The ID of the tab in which the frame is. - +> > `frameId` optional integer. The ID of the frame in the given tab. - +> > `documentId` optional string. A UUID of the document. @@ -111,7 +111,11 @@ string. A UUID of the document. ##### Return value A Promise that will be fulfilled with a `Cookie.partitionKey` object that matches the properties given in the details parameter and contains the `hasCrossSiteAncestor` value associated with the current cross-site status of the frame. - + +##### Error conditions +- If host permissions are not granted for the document whose partitionkey is getting queried an error will be returned. +- When the parameters passed do not correspond to an existing frame, an error will be returned. + ### New Permissions No new permissions are required.