On 18/07/2025 16:15, Claude Pache wrote:
Hi,
Hi Claude
1. The RFC says: “CHIPS technology was introduced not so long ago, but still has “little” adoption (currently “only” available in Blink-based browsers).”
It might be useful to add the following precisions, so that we are more confident that it has good chance not to remain a Blink-only feature:
* As of time of writing, there is an experimental implementation in Firefox.
* The feature has also been implemented in Safari, but has been temporarily disabled because of an issue known by Apple only.
Sure! Those are good points to clarify the introduction. Thanks!
2. All examples in the RFC are variations on `setcookie("name", "value", ["secure" => true, "partitioned" => true]);`, without same-site attribute.
As partitioned cookies are only meaningful as third-party cookies, what is the behaviour when:
(a) the same-site attribute is set to anything different from "None"?
(b) the same-site attribute is omitted? (Although historically, omitting the same-site parameter is equivalent to setting it to "None", browser vendors are willing to switch the default to "Lax", and some browsers (including Blink-based ones) have already done the switch.)
In all examples I’ve seen on the web, an explicit `samesite=None` attribute is added to partitioned cookies, probably for some good reason?
Yep, all examples use "samesite=None" because you need that to create a 3rd party cookie. So including "Partitioned" without "samesite=None" is useless in those cases.
Although if "samesite=Lax" is still the default for a particular browser, then it won't be useless, but I believe the goal is - as you said - to switch all browsers over to "samesite=None".
According to GitHub - privacycg/CHIPS: A proposal for a cookie attribute to partition cross-site cookies by top-level site, the following will happen:
(a) The cookie won't be sent to a 3rd party context and "Partitioned" won't have an effect. The cookie header is still interpreted correctly so it will have an effect on the origin site, just not in a 3rd party context.
(b) Depends on what the default is for a particular browser.
Kind regards
Niels