`request_headers` may send SameSite cookies cross-site

Question

`request_headers` may send SameSite cookies cross-site

Opened this issue 6 years ago · 2 comments

If a NEL policy requests Cookie headers be sent in the request_headers report field, then SameSite cookies may be sent cross-site to a report collector.

Answer 1 · 2023-09-14T13:35:54.000Z

Discussed at TPAC, and the sentiment in the room was that we perhaps should simply not send cookies in reports.
(Also see #112)

Answer 2 · 2023-09-16T06:35:00.000Z

Beyond that, NEL collectors in the room are currently actively stripping that information and have no use-case for it. So there's no apparent trade-off in simply removing headers from the reports.