Firefox 60 introduces support for the SameSite cookie attribute: https://blog.mozilla.org/security/2018/04/24/same-site-cookies-in-firefox-60/ This provides significant protection against CSRF vulnerabilities and so it should be applied to any session cookies. Happy to help with any implementation / checking tasks :)
Heh, added to CGI.pm on 2016-06-14: https://metacpan.org/changes/distribution/CGI#L56 This looks easy.
I want SameSite=Lax right? Not SameSite=Strict because that would mean when clicking on a link that leads to bugzilla you'd not be logged in?
Thats right - 'lax' will allow the user to be logged in from normal links, so I think thats best for bmo.
Status: NEW → RESOLVED
Last Resolved: 11 months ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.