Change cookie API to explicitly support sameSite=none
Categories
(WebExtensions :: General, enhancement, P2)
Tracking
(Not tracked)
People
(Reporter: mconca, Unassigned)
References
Details
Attachments
(2 files)
Google intends to update the cookie API to explicitly support the SameSite=None value of the attribute, as well as change the meaning of the default when no SameSite attribute is specified, adding a new 'unspecified' value.
See https://groups.google.com/a/chromium.org/forum/#!topic/chromium-extensions/rwjZcCnlITo
The Firefox WebExtensions API for cookies should be modified to match this change.
|
||
Updated•5 years ago
|
|
||
Comment 1•5 years ago
|
||
This requires platform support.
Here are relevant resources about the development of SameSite=None
- https://github.com/httpwg/http-extensions/commit/fa624b1358be1ef77a4fd2560c94593ecf7f508d
- SameSite=None https://bugs.chromium.org/p/chromium/issues/detail?id=953306
- https://github.com/web-platform-tests/wpt/pull/16779
It's not clear whether Mozilla was involved in standardization discussions about this, since the dependency tree of bug 795346 has not recently been modified. SameSite=None is not the only upcoming change, Chromium also appears to be working on SameSite=Extended:
- SameSite=Extended https://bugs.chromium.org/p/chromium/issues/detail?id=953995
|
||
Comment 2•5 years ago
|
||
I think this bug is a dup of 1551798. In bug 1551798 I implemented both SameSite=lax by default and SameSite=None only if secure.
SameSite=Extended should be a separate bug.
|
|
||
Comment 3•5 years ago
|
||
Bug 1551798 does currently not address this bug, because it just changes the default to SAMESITE_NONE, while the extension API should default to NONE or LAX depending on the defaults (if sameSite is not set).
The change must be:
- If sameSite is set to "unspecified", do whatever the defaults are (lax or none, depending on bug 1551798)
- If sameSite not set, treat it as "unspecified" (i.e. same behavior as previous line).
Not changed, but the other cases are:
- If sameSite is set to "none", use
SAMESITE_NONE - If sameSite is set to "lax", use
SAMESITE_LAX - If sameSite is set to "strict", use
SAMESITE_STRICT
Besides the above change, in order to resolve this bug a unit test must be written for the functionality.
Do you plan to do the above in bug 1551798? If not, then this bug should probably be deduplicated.
|
|
||
Comment 4•5 years ago
|
||
I didn't realize this was about webExtensions. Reopening the bug.
|
|
||
Comment 5•5 years ago
|
||
Bug 1551798 adds partial support. There is no "unspecified" keyword, but when sameSite is omitted, the preference-dependent default is chosen.
While looking at the patch, I also noticed that there is an untested issue: Previously, when sameSite was omitted, it defaulted to SameSite=Strict instead of SameSite=None (because absence of sameSite means that sameSite is -1, and -1 is converted to STRICT). This is unintentional, and apparently there is no test coverage, so I'm going to add a unit test when I resolve this bug.
|
|
||
Updated•5 years ago
|
|
||
Comment 7•4 years ago
|
||
Depends on D100651
|
||
Updated•4 years ago
|
|
|
||
Comment 8•4 years ago
|
||
|
|
||
Comment 9•3 years ago
|
||
I'm opening this bug for other contributors since the patches have not had any activity for over 6 months.
|
||
Updated•2 years ago
|
|
||
Updated•1 year ago
|
Description
•