You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In the explainer section on A>B>A embeds, one possible solution we proposed was to allow A>B>A embeds to use CORS to regain cookie access without needing to call the Request Storage Access API.
After thinking about this more and discussing with our team, we have decided that CORS is not the right solution for A>B>A embeds that need an HTTP-only solution to restore cookie access. Our main line of reasoning is that requests opted into CORS still send credentials by default before the site has a chance to reveal to the browser whether the context sending cookies is acceptable. In particular, this can cause a problem for cross-site POST requests which may have side effects on the server side before they can tell the browser not to send cookies.
A more favorable solution for this use case is the Request Storage Access headers proposal which offers a mechanism in which will not send cookies to the site until it has explicitly opted into doing so in that particular context.
The text was updated successfully, but these errors were encountered:
In the explainer section on A>B>A embeds, one possible solution we proposed was to allow A>B>A embeds to use CORS to regain cookie access without needing to call the Request Storage Access API.
After thinking about this more and discussing with our team, we have decided that CORS is not the right solution for A>B>A embeds that need an HTTP-only solution to restore cookie access. Our main line of reasoning is that requests opted into CORS still send credentials by default before the site has a chance to reveal to the browser whether the context sending cookies is acceptable. In particular, this can cause a problem for cross-site POST requests which may have side effects on the server side before they can tell the browser not to send cookies.
A more favorable solution for this use case is the Request Storage Access headers proposal which offers a mechanism in which will not send cookies to the site until it has explicitly opted into doing so in that particular context.
The text was updated successfully, but these errors were encountered: