Closed Bug 1604212 Opened 5 months ago Closed 3 months ago

Enable sameSite=lax by default on Nightly

Categories

(Core :: Networking: Cookies, enhancement, P2)

enhancement

Tracking

()

RESOLVED FIXED
mozilla75
Tracking Status
firefox75 --- fixed

People

(Reporter: baku, Assigned: baku)

References

(Blocks 3 open bugs, Regressed 3 open bugs)

Details

(Keywords: site-compat, Whiteboard: [necko-triaged])

Attachments

(1 file, 1 obsolete file)

Chrome is enabling samesite=lax by default. This bug is about enabling the same feature in firefox.

Assignee: nobody → amarchesini
Status: NEW → ASSIGNED
Blocks: cookie
Priority: -- → P2
Whiteboard: [necko-triaged]
Depends on: 1551798
Keywords: dev-doc-needed
Keywords: site-compat

I had a conversation with Google today about their plans to enable sameSite=lax in Chrome 80. They are still seeing some site compatibility issues and are collecting additional data. There is a chance they may push their deployment out.

In any case, they will definitely be shipping this to release behind a pref that they can flip in the field to turn it off in case things go badly. I think we should plan for the same, via Normandy. Not sure if any additional engineering is required to support that (I don't think so, but will confirm), but I wanted to at least provide an update on this feature and make sure we have risk mitigation plans.

(In reply to Mike Conca [:mconca] from comment #2)

I had a conversation with Google today about their plans to enable sameSite=lax in Chrome 80. They are still seeing some site compatibility issues and are collecting additional data. There is a chance they may push their deployment out.

In any case, they will definitely be shipping this to release behind a pref that they can flip in the field to turn it off in case things go badly. I think we should plan for the same, via Normandy. Not sure if any additional engineering is required to support that (I don't think so, but will confirm), but I wanted to at least provide an update on this feature and make sure we have risk mitigation plans.

That makes sense. FWIW when reviewing the patch on phabricator I suggested that before outright enabling this we should start gradually enabling it on our trains and watch for fallout, e.g. enable Nightly-only for a while and wait for bug reports, then expand to early beta, etc...

Do you know when this will be enabled, since tomcat 7 isnt compatible with this and upgrading tomcat is a major task for website owners.

(In reply to Simon from comment #4)

Do you know when this will be enabled, since tomcat 7 isnt compatible with this and upgrading tomcat is a major task for website owners.

Not answering your question - you may interested in in today's update in blink-dev
https://groups.google.com/a/chromium.org/forum/m/#!topic/blink-dev/AknSSyQTGYs

(In reply to Mike Conca [:mconca] from comment #2)

I had a conversation with Google today about their plans to enable sameSite=lax in Chrome 80. They are still seeing some site compatibility issues and are collecting additional data. There is a chance they may push their deployment out.

Update from Google today (with a ton of good data, well worth reading) - the Chrome team believes breakage is both minimal (few sites) and acceptable (breakage is on low engagement sites). It appears this change is on track for release with Chrome 80.

(In reply to Mike Conca [:mconca] from comment #6)

Update from Google today (with a ton of good data, well worth reading) - the Chrome team believes breakage is both minimal (few sites) and acceptable (breakage is on low engagement sites). It appears this change is on track for release with Chrome 80.

This feature received the necessary sign-offs at Google and will be shipping with Chrome 80 (February 4, 2020).

Attachment #9116150 - Attachment is obsolete: true
Summary: Enable sameSite=lax by default → Enable sameSite=lax by default on Nightly
Blocks: 1617609
Pushed by amarchesini@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/ced61db946ff
Enable sameSite=lax by default, r=Ehsan,ahal
Flags: needinfo?(amarchesini)
Pushed by amarchesini@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/d76f4c4a4fb6
Enable sameSite=lax by default, r=Ehsan,ahal
Flags: needinfo?(amarchesini)
Pushed by amarchesini@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/cbdc2840f86c
Enable sameSite=lax by default, r=Ehsan,ahal
Backout by aiakab@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/31dd90a798b9
Backed out changeset cbdc2840f86c for causing wpt failures on fetch.https.html
Flags: needinfo?(amarchesini)
Pushed by amarchesini@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/150b8347d28f
Enable sameSite=lax by default, r=Ehsan,ahal
Status: ASSIGNED → RESOLVED
Closed: 3 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla75
Regressions: 1618506
Blocks: 1618610

Hi,
Where can I track the release for this feature? And which versions of FF will this be launched for?

(In reply to ritika from comment #18)

Hi,
Where can I track the release for this feature? And which versions of FF will this be launched for?

Hi, target mentioned above is next release, mozilla75.

Regressions: 1620018
Regressions: 1620179

(In reply to Andreea Pavel [:apavel] from comment #19)

(In reply to ritika from comment #18)

Hi,
Where can I track the release for this feature? And which versions of FF will this be launched for?

Hi, target mentioned above is next release, mozilla75.

Thanks for the information. Which values will Samesite attribute support ? Eg. None, Strict? Will the older versions also support the Samesite attribute?

Flags: needinfo?(amarchesini)

Where can I track the release for this feature? And which versions of FF will this be launched for?

We are not planning to ship this feature yet. We are testing in nightly only to see the level of breakage.

Thanks for the information. Which values will Samesite attribute support ? Eg. None, Strict? Will the older versions also support the Samesite attribute?

SameSite attribute values are lax, strict and none. This feature is back compatible. We are not introducing new values.

Flags: needinfo?(amarchesini)
Regressions: 1620547
Regressions: 1620104

Please take a look at Bug 1618336.

You need to log in before you can comment on or make changes to this bug.