* For this demo to be accurate, third-party cookies must currently be
blocked in your browser and the Finch feature
`AllowSameSiteNoneCookiesInSandbox`
must be enabled *
Set a cookie on the top-level domain by clicking this button!
Verify the cookie was set on the top-level.
document.cookie is "...." on domain
....
Content-Security-Policy HTTP Header
Default sandboxing policy: Content-Security-Policy: sandbox
The default Content-Security-Policy sandbox header WITHOUT the `allow-same-site-none-cookies` value, we would
expect that cookies WERE NOT sent in subresource requests from this frame
Content-Security-Policy: sandbox allow-same-site-none-cookies
The Content-Security-Policy sandbox header
WITH the `allow-same-site-none-cookies` value, we would expect that
cookies WERE sent in subresource requests from this frame
Iframe sandbox attribute
</iframe sandbox="">
The default iframe sandbox WITHOUT the `allow-same-site-none-cookies` value, we would
expect that cookies WERE NOT sent in subresource requests from this frame
</iframe sandbox="allow-same-site-none-cookies">
The iframe sandbox attribute
WITH the `allow-same-site-none-cookies` value, we would expect that
cookies WERE sent in subresource requests from this frame
Cross-site Frames
Cross-site frame on https://cross-site-embed.glitch.me/
The frame is not same-site with the top-level, so we expect
that cookies were not sent with the request or in subresource requests
ABA- Cross-site embed with a subframe that is same-site with the top-level
If the frame is same-site with the top-level but has a cross-site
ancestor, so we expect
that cookies were not sent with the request or in subresource requests