<div dir="ltr"><div>It seemed like there was a fair amount of miscommunication at the end of the call around the "POST" issue that George brought up as an example of an impactful change. Hopefully I don't further contribute to the miscommunication but I think he was talking about the [defaulting to SameSite=]Lax + POST mitigation mentioned in <a href="https://www.chromium.org/updates/same-site/faq">https://www.chromium.org/updates/same-site/faq</a> and copied here:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div style="color:rgb(0,0,0);font-family:Arial,Verdana,sans-serif;font-size:13.3333px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><h3>Q: What is the Lax + POST mitigation?</h3>This is a specific exception made to account for existing cookie usage on some Single Sign-On implementations where a CSRF token is expected on a cross-site POST request. This is purely a temporary solution and will be removed in the future. It does not add any new behavior, but instead is just not applying the new<span> </span><code style="color:rgb(0,96,0)">SameSite=Lax</code><span> </span>default in certain scenarios.<br><br></div><div style="color:rgb(0,0,0);font-family:Arial,Verdana,sans-serif;font-size:13.3333px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">Specifically, a cookie that is at most 2 minutes old will be sent on a top-level cross-site POST request. However, if you rely on this behavior, you should update these cookies with the<span> </span><code style="color:rgb(0,96,0)">SameSite=None; Secure</code><span> </span>attributes to ensure they continue to function in the future.</div></div></blockquote></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Mar 23, 2021 at 9:27 AM Tim Cappalli via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">




<div dir="ltr">
<div style="font-family:Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<p style="margin:0in;color:rgb(32,31,30);font-family:Calibri,sans-serif;font-size:12pt;background:white none repeat scroll 0% 0%">
<span style="margin:0px;font-family:Arial,sans-serif;color:black">Hi all,</span></p>
<p style="margin:0in;color:rgb(32,31,30);font-family:Calibri,sans-serif;font-size:12pt;background:white none repeat scroll 0% 0%">
<span style="margin:0px;font-family:Arial,sans-serif;color:black"> </span></p>
<p style="margin:0in;color:rgb(32,31,30);font-family:Calibri,sans-serif;font-size:12pt;background:white none repeat scroll 0% 0%">
<span style="margin:0px;font-family:Arial,sans-serif;color:black">Here's the agenda for tomorrow.<br>
</span><span style="margin:0px;font-family:Arial,Helvetica,sans-serif;color:rgb(0,0,0)"><br>
</span></p>
<p style="margin:0in;color:rgb(32,31,30);font-family:Calibri,sans-serif;font-size:12pt;background:white none repeat scroll 0% 0%">
</p>
<div>* Intros, reintros, agenda bash
<div>* Review <a href="https://docs.google.com/document/d/1z9Plb3ntW8s_dg9SSjd6Z7_88I4KhVjaGYYSoEYC40Y" title="https://docs.google.com/document/d/1z9Plb3ntW8s_dg9SSjd6Z7_88I4KhVjaGYYSoEYC40Y" target="_blank">
known use case list</a> and request for contributions</div>
<div></div>
<div>* Review submitted use cases</div>
<div>* Topics for next call</div>
* Open Discussion<br>
</div>
<div style="margin:0px;font-size:15px;color:rgb(32,31,30);background-color:rgb(255,255,255)">
 </div>
<p style="margin-top:0px;margin-bottom:0px;color:rgb(32,31,30);font-size:15px;background-color:rgb(255,255,255)">
</p>
<p style="margin:0in;color:rgb(32,31,30);font-family:Calibri,sans-serif;font-size:12pt;background:white none repeat scroll 0% 0%">
<span style="margin:0px;font-family:Arial,sans-serif;color:black">Meeting Link: <a href="https://global.gotomeeting.com/join/379258645" rel="noopener noreferrer" style="margin:0px;color:rgb(5,99,193);text-decoration:underline" target="_blank"><span style="margin:0px;padding:0in;border:1pt none windowtext">https://global.gotomeeting.com/join/379258645</span></a> | <a href="https://www.timeanddate.com/worldclock/converter.html?iso=20210113T190500&p1=22&p2=248&p3=236&p4=438&p5=776&p6=16&p7=1440&p8=43&p9=24&p10=220&p11=234" rel="noopener noreferrer" title="https://www.timeanddate.com/worldclock/converter.html?iso=20210113T190500&p1=22&p2=248&p3=236&p4=438&p5=776&p6=16&p7=1440&p8=43&p9=24&p10=220&p11=234" style="margin:0px;color:rgb(5,99,193);text-decoration:underline" target="_blank"><span style="margin:0px;padding:0in;border:1pt none windowtext">Time</span></a></span></p>
<p style="margin:0in;color:rgb(32,31,30);font-family:Calibri,sans-serif;font-size:12pt;background:white none repeat scroll 0% 0%">
<span style="margin:0px;font-family:Arial,sans-serif;color:black"> </span></p>
<p style="margin:0in;color:rgb(32,31,30);font-family:Calibri,sans-serif;font-size:12pt;background:white none repeat scroll 0% 0%">
<span style="margin:0px;font-family:Arial,sans-serif;color:black">Meeting Agenda / Notes Page: <a href="https://bitbucket.org/openid/connect/wiki/Browser%20Interactions%20Special%20Topics%20Call%20-%2020210324" id="gmail-m_2874940335059583423LPlnk673047" target="_blank">openid / connect / wiki / Browser
 Interactions Special Topics Call - 20210324 — Bitbucket</a></span></p>
<p style="margin:0in;color:rgb(32,31,30);font-family:Calibri,sans-serif;font-size:12pt;background:white none repeat scroll 0% 0%">
<span style="margin:0px;font-family:Arial,sans-serif;color:black"><br>
</span></p>
<p style="margin:0in;color:rgb(32,31,30);font-family:Calibri,sans-serif;font-size:12pt;background:white none repeat scroll 0% 0%">
<span style="margin:0px;font-family:Arial,sans-serif;color:black">Meeting Landing Page: </span><span style="margin:0px;font-family:Arial,sans-serif;color:rgb(47,85,151)"><a href="https://bitbucket.org/openid/connect/wiki/Browser%20Interactions%20Special%20Topics%20Call" rel="noopener noreferrer" style="margin:0px;color:rgb(5,99,193);text-decoration:underline" target="_blank"><span style="margin:0px;padding:0in;border:1pt none windowtext;color:rgb(47,85,151)">openid
 / connect / wiki /<span style="margin:0px"> </span><span style="margin:0px">Browser</span><span style="margin:0px"> </span><span style="margin:0px">Interactions</span> <span style="margin:0px">Special</span> <span style="margin:0px">Topic</span>s
 Call — Bitbucket</span></a></span><span style="margin:0px;font-family:Arial,sans-serif;color:black"></span></p>
<p style="margin:0in;color:rgb(32,31,30);font-family:Calibri,sans-serif;font-size:12pt;background:white none repeat scroll 0% 0%">
<span style="margin:0px;font-family:Arial,sans-serif;color:black"> </span></p>
<p style="margin:0in;color:rgb(32,31,30);font-family:Calibri,sans-serif;font-size:12pt;background:white none repeat scroll 0% 0%">
<span style="margin:0px;font-family:Arial,sans-serif;color:black"><br>
</span></p>
<p style="margin:0in;color:rgb(32,31,30);font-family:Calibri,sans-serif;font-size:12pt;background:white none repeat scroll 0% 0%">
<span style="margin:0px;font-family:Arial,sans-serif;color:black">tim</span></p>
</div>
<div>
<div style="font-family:Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<br>
</div>
<div id="gmail-m_2874940335059583423Signature">
<div name="divtagdefaultwrapper">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<div style="font-weight:normal;text-align:start"></div>
</div>
</div>
</div>
</div>
</div>

_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote></div>

<br>
<i style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:baseline;background:rgb(255,255,255);font-family:proxima-nova-zendesk,system-ui,-apple-system,system-ui,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",Arial,sans-serif;color:rgb(85,85,85)"><span style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:baseline;background:transparent;font-family:proxima-nova-zendesk,system-ui,-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",Arial,sans-serif;font-weight:600"><font size="2">CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.</font></span></i>