Closed Bug 1556151 Opened 4 months ago Closed 2 months ago

SessionCookies.jsm does not restore the SameSite flag of session cookies

Categories

(Firefox :: Session Restore, enhancement, P3)

64 Branch
enhancement

Tracking

()

RESOLVED FIXED
Firefox 70
Tracking Status
firefox70 --- fixed

People

(Reporter: robwu, Assigned: dennisschagt)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

SessionCookiesInternal.restore unconditionally uses SAMESITE_NONE as the sameSite flag. This is incorrect, the sameSite flag should have been saved at CookieStore.add and be restored later.

The effect of this is that after a session restore, session cookies could inadvertently be included in requests where they shouldn't have been included (when SameSite=Lax or SameSite=Strict).

The priority flag is not set for this bug.
:mikedeboer, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(mdeboer)

Sounds plausible to me, but I unfortunately don't have time to work on this right now. Please feel free to pick this up - I'd be more than happy to mentor!

Blocks: ss-feature
Type: defect → enhancement
Flags: needinfo?(mdeboer)
Priority: -- → P3

Bug 1556151 - SessionStore: Save and restore cookie.sameSite flag

I just submitted a patch and added :mikedeboer as reviewer.

:mikedeboer, Could you assign this bug to me?

This is one of my first contributions to Firefox. Please let me know if there is anything I can improve on.

Flags: needinfo?(mdeboer)
Assignee: nobody → dennisschagt
Flags: needinfo?(mdeboer)

Pushed by dvarga@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/922be4adb708
SessionStore: Save and restore cookie.sameSite flag r=mikedeboer

Keywords: checkin-needed
Status: NEW → RESOLVED
Closed: 2 months ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 70

Dennis, well done for (one of) your first contribution(s) to Firefox! I'm looking forward to many more in the future!

You need to log in before you can comment on or make changes to this bug.