Closed Bug 1617609 Opened 2 years ago Closed 13 days ago

[meta] Enable sameSite=lax by default

Categories

(Core :: Networking: Cookies, task, P2)

task

Tracking

()

RESOLVED FIXED
96 Branch
Tracking Status
firefox96 + fixed

People

(Reporter: baku, Assigned: ngogge)

References

(Depends on 2 open bugs, Blocks 1 open bug)

Details

(Keywords: dev-doc-complete, meta, site-compat, Whiteboard: [necko-triaged])

Attachments

(1 file)

Chrome is enabling samesite=lax by default. This bug is about enabling the same feature in firefox. See 1604212.

Depends on: 1617611
Keywords: site-compat

Hi,

Where can I track the release for this feature? And which versions of FF will this be launched for?

Where can I track the release for this feature? And which versions of FF will this be launched for?

Watch this bug. See Tracking -> Milestone when Status changed to FIXED.

Mozilla may observe how Chrome's rollout goes
https://www.chromium.org/updates/same-site
https://www.chromestatus.com/feature/5088147346030592

See Also: → sameSiteLax-breakage
Priority: -- → P2
Whiteboard: [necko-triaged]

(In reply to j.j. from comment #2)

Where can I track the release for this feature? And which versions of FF will this be launched for?

Watch this bug. See Tracking -> Milestone when Status changed to FIXED.

Mozilla may observe how Chrome's rollout goes
https://www.chromium.org/updates/same-site
https://www.chromestatus.com/feature/5088147346030592

Thanks for the information. Which values will Samesite attribute support ? Eg. None, Strict? Will the older versions also support Samesite?

Depends on: 1620717

Please note that Bugzilla is a tracking database for implementers and not the best place to ask general questions, as it interferes with workflow.

Which values will Samesite attribute support ?

See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#SameSite.
For SameSite=Lax by default the above linked Cromestatus entry should have helpful links.

Will the older versions also support Samesite?

Yes, as SameSite is supported since Firefox 60
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#Browser_compatibility

No, if you mean "Treat cookies as SameSite=Lax by default if no SameSite attribute is specified", what this bug is about.

From chrome:

One policy will allow administrators to specify a list of domains on which cookies should be handled according to the legacy behavior (LegacySameSiteCookieBehaviorEnabledForDomainList), and a second policy will provide the option to set the global default to legacy SameSite behavior for all cookies (LegacySameSiteCookieBehaviorEnabled). More details about these policies will follow in future enterprise release notes before the Chrome 79 release.

Will we have the ability to do this on a per domain basis or will we just be able to flip the global default?

What is the name of the pref the controls this?

Depends on: 1622091

In bug 1623313 I have implemented a similar behavior. Pref network.cookie.sameSite.laxByDefault.disabledHosts can be used to have legacy sameSite behavior for a list of hosts.

Depends on: 1623313
Flags: needinfo?(ehsan)
Keywords: meta
Summary: Enable sameSite=lax by default → [meta] Enable sameSite=lax by default
Blocks: COVID-19
Depends on: 1634921
No longer depends on: 1634921
Depends on: 1642832

FYI, docs for this have been updated as described in here. In summary, the docs now reflect the standard for SameSite rather than what FireFox does (they do note that this has changed, and point down to the compatibility table for users to check).

What this means is that when this feature goes in the only doc change required should be a release note an update to BCD.

"SameSite=lax by default" and "Reject insecure SameSite=None cookies" have been started since Chrome 85.

Assignee: nobody → ngogge
Status: NEW → ASSIGNED
Depends on: 1741863
Duplicate of this bug: 1741863
Pushed by mozilla@christophkerschbaumer.com:
https://hg.mozilla.org/integration/autoland/rev/643bb56a34c4
Enable sameSite=lax by default. r=ckerschb,dveditz
Status: ASSIGNED → RESOLVED
Closed: 13 days ago
Resolution: --- → FIXED
Target Milestone: --- → 96 Branch
Flags: qe-verify+
Regressions: 1742826

FYI, the Firefox 96 docs work for this can be tracked in https://github.com/mdn/content/issues/10857#issuecomment-982280050.
Mostly it is browser compatibility and also some additions to explain what "schemeful" means. The SameSite-Lax and setting for secure context were already documented.

You need to log in before you can comment on or make changes to this bug.