From what I can tell this is just an issue of LaxByDefault expectation. Firefox does not have LaxByDefault currently enabled so the cookie set in the STR will be SameSite=None. So in the case that we perform the cross-site navigation in step 2, we send the cookie, [according to spec](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-14#section-4.1.2.7-2). That's with or without the timer. FWIW and just in case the issue is actually still occuring with when laxByDefault is enabled, I also attempted to reproduce with our pref on. With the same STR, I observed that the cookie was NOT attached to the request on the POST. Though, I did notice it on the GET for favicon, which is also within spec. Some citation: When sending a request the spec says a cookie should be excluded in the circumstance where Samesite != None and it is a cross-site request under [unless certain conditions are all met](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-14#section-5.7.3-2.1.2.5.1). To be explicit those conditions are: * The retrieval's type is "HTTP". * The same-site-flag is "Lax" or "Default". * The HTTP request associated with the retrieval uses a "safe" method. * The target browsing context of the HTTP request associated with the retrieval is the active browsing context or a top-level traversable. Where GET is considered a ["Safe" method](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-14#section-2.3-9), but POST is not. So I think we can actually close this issue as it should resolve if and when we switch to laxByDefault. I will give this a week or so before closing in case there is a key fact that I missed.
Bug 1892049 Comment 6 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
From what I can tell this is just an issue of LaxByDefault expectation. Firefox does not have LaxByDefault currently enabled so the cookie set in the STR will be SameSite=None. So in the case that we perform the cross-site navigation in step 2, we send the cookie, [according to spec](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-14#section-4.1.2.7-2). That's with or without the timer. FWIW and just in case the issue is actually still occuring with when laxByDefault is enabled, I also attempted to reproduce with our pref on. With the same STR, I observed that the cookie was NOT attached to the request on the POST. Though, I did notice it on the GET for favicon, which is also within spec. Some citation: When sending a request the spec says a cookie should be excluded in the circumstance where Samesite != None and it is a cross-site request under [unless certain conditions are all met](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-14#section-5.7.3-2.1.2.5.1). To be explicit those conditions are: * The retrieval's type is "HTTP". * The same-site-flag is "Lax" or "Default". * The HTTP request associated with the retrieval uses a "safe" method. (Where GET is considered a ["Safe" method](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-14#section-2.3-9), but POST is not.) * The target browsing context of the HTTP request associated with the retrieval is the active browsing context or a top-level traversable. So I think we can actually close this issue as it should resolve if and when we switch to laxByDefault. I will give this a week or so before closing in case there is a key fact that I missed.