Enable sameSite=lax by default on Nightly
Categories
(Core :: Networking: Cookies, enhancement, P2)
Tracking
()
Tracking | Status | |
---|---|---|
firefox75 | --- | fixed |
People
(Reporter: baku, Assigned: baku)
References
(Blocks 1 open bug)
Details
(Keywords: site-compat, Whiteboard: [necko-triaged])
Attachments
(1 file, 1 obsolete file)
Chrome is enabling samesite=lax by default. This bug is about enabling the same feature in firefox.
Assignee | ||
Comment 1•5 years ago
|
||
Updated•5 years ago
|
Updated•5 years ago
|
Updated•5 years ago
|
Comment 2•5 years ago
|
||
I had a conversation with Google today about their plans to enable sameSite=lax in Chrome 80. They are still seeing some site compatibility issues and are collecting additional data. There is a chance they may push their deployment out.
In any case, they will definitely be shipping this to release behind a pref that they can flip in the field to turn it off in case things go badly. I think we should plan for the same, via Normandy. Not sure if any additional engineering is required to support that (I don't think so, but will confirm), but I wanted to at least provide an update on this feature and make sure we have risk mitigation plans.
Comment 3•5 years ago
|
||
(In reply to Mike Conca [:mconca] from comment #2)
I had a conversation with Google today about their plans to enable sameSite=lax in Chrome 80. They are still seeing some site compatibility issues and are collecting additional data. There is a chance they may push their deployment out.
In any case, they will definitely be shipping this to release behind a pref that they can flip in the field to turn it off in case things go badly. I think we should plan for the same, via Normandy. Not sure if any additional engineering is required to support that (I don't think so, but will confirm), but I wanted to at least provide an update on this feature and make sure we have risk mitigation plans.
That makes sense. FWIW when reviewing the patch on phabricator I suggested that before outright enabling this we should start gradually enabling it on our trains and watch for fallout, e.g. enable Nightly-only for a while and wait for bug reports, then expand to early beta, etc...
Do you know when this will be enabled, since tomcat 7 isnt compatible with this and upgrading tomcat is a major task for website owners.
(In reply to Simon from comment #4)
Do you know when this will be enabled, since tomcat 7 isnt compatible with this and upgrading tomcat is a major task for website owners.
Not answering your question - you may interested in in today's update in blink-dev
https://groups.google.com/a/chromium.org/forum/m/#!topic/blink-dev/AknSSyQTGYs
Comment 6•5 years ago
|
||
(In reply to Mike Conca [:mconca] from comment #2)
I had a conversation with Google today about their plans to enable sameSite=lax in Chrome 80. They are still seeing some site compatibility issues and are collecting additional data. There is a chance they may push their deployment out.
Update from Google today (with a ton of good data, well worth reading) - the Chrome team believes breakage is both minimal (few sites) and acceptable (breakage is on low engagement sites). It appears this change is on track for release with Chrome 80.
Comment 7•5 years ago
|
||
(In reply to Mike Conca [:mconca] from comment #6)
Update from Google today (with a ton of good data, well worth reading) - the Chrome team believes breakage is both minimal (few sites) and acceptable (breakage is on low engagement sites). It appears this change is on track for release with Chrome 80.
This feature received the necessary sign-offs at Google and will be shipping with Chrome 80 (February 4, 2020).
Assignee | ||
Comment 8•5 years ago
|
||
Updated•5 years ago
|
Updated•5 years ago
|
Assignee | ||
Updated•5 years ago
|
Pushed by amarchesini@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/ced61db946ff Enable sameSite=lax by default, r=Ehsan,ahal
Comment 10•5 years ago
|
||
Backed out for failing geckoview at WebExecutorTest.testAnonymous
Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=290399287&repo=autoland&lineNumber=11589
Backout: https://hg.mozilla.org/integration/autoland/rev/7cec81aab83f409967b336126c0b11339218c3ab
Assignee | ||
Updated•5 years ago
|
Comment 11•5 years ago
|
||
Pushed by amarchesini@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/d76f4c4a4fb6 Enable sameSite=lax by default, r=Ehsan,ahal
Comment 12•5 years ago
|
||
Backed out changeset d76f4c4a4fb6 (Bug 1604212) for causing lint failure and bustages in WebExecutorTest.kt CLOSED TREE
Push with failures: https://treeherder.mozilla.org/#/jobs?repo=autoland&selectedJob=290408171&resultStatus=testfailed%2Cbusted%2Cexception&revision=d76f4c4a4fb6d987df932e9802b6f55b936d523b
Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=290408171&repo=autoland&lineNumber=1109
https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=290408137&repo=autoland&lineNumber=39026
Backout: https://hg.mozilla.org/integration/autoland/rev/1ddb8ecb4127c455cd26daf1a20511afb1f89791
Assignee | ||
Updated•5 years ago
|
Comment 13•5 years ago
|
||
Pushed by amarchesini@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/cbdc2840f86c Enable sameSite=lax by default, r=Ehsan,ahal
Comment 14•5 years ago
|
||
Backout by aiakab@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/31dd90a798b9 Backed out changeset cbdc2840f86c for causing wpt failures on fetch.https.html
Comment 15•5 years ago
|
||
Backed out changeset cbdc2840f86c (bug 1604212)for causing wpt failures on fetch.https.html
Backout revision https://hg.mozilla.org/integration/autoland/rev/31dd90a798b9daf98d1b1a58c869757848c96705
Failure logs https://treeherder.mozilla.org/logviewer.html#?job_id=290432935&repo=autoland
Andrea can you please take a look?
Assignee | ||
Updated•5 years ago
|
Comment 16•5 years ago
|
||
Pushed by amarchesini@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/150b8347d28f Enable sameSite=lax by default, r=Ehsan,ahal
Comment 17•5 years ago
|
||
bugherder |
Assignee | ||
Updated•5 years ago
|
Comment 18•5 years ago
|
||
Hi,
Where can I track the release for this feature? And which versions of FF will this be launched for?
Comment 19•5 years ago
|
||
(In reply to ritika from comment #18)
Hi,
Where can I track the release for this feature? And which versions of FF will this be launched for?
Hi, target mentioned above is next release, mozilla75.
Comment 20•5 years ago
|
||
(In reply to Andreea Pavel [:apavel] from comment #19)
(In reply to ritika from comment #18)
Hi,
Where can I track the release for this feature? And which versions of FF will this be launched for?Hi, target mentioned above is next release, mozilla75.
Thanks for the information. Which values will Samesite attribute support ? Eg. None, Strict? Will the older versions also support the Samesite attribute?
Updated•5 years ago
|
Assignee | ||
Comment 21•5 years ago
|
||
Where can I track the release for this feature? And which versions of FF will this be launched for?
We are not planning to ship this feature yet. We are testing in nightly only to see the level of breakage.
Thanks for the information. Which values will Samesite attribute support ? Eg. None, Strict? Will the older versions also support the Samesite attribute?
SameSite attribute values are lax, strict and none. This feature is back compatible. We are not introducing new values.
Comment 22•5 years ago
|
||
Please take a look at Bug 1618336.
Updated•4 years ago
|
Updated•3 years ago
|
Description
•