Open Bug 1617609 Opened 8 months ago Updated 2 months ago

[meta] Enable sameSite=lax by default

Categories

(Core :: Networking: Cookies, task, P2)

task

Tracking

()

People

(Reporter: baku, Unassigned)

References

(Depends on 2 open bugs, Blocks 1 open bug)

Details

(Keywords: dev-doc-needed, meta, site-compat, Whiteboard: [necko-triaged])

Chrome is enabling samesite=lax by default. This bug is about enabling the same feature in firefox. See 1604212.

Depends on: 1617611
Keywords: site-compat

Hi,

Where can I track the release for this feature? And which versions of FF will this be launched for?

Where can I track the release for this feature? And which versions of FF will this be launched for?

Watch this bug. See Tracking -> Milestone when Status changed to FIXED.

Mozilla may observe how Chrome's rollout goes
https://www.chromium.org/updates/same-site
https://www.chromestatus.com/feature/5088147346030592

See Also: → sameSiteLax-breakage
Priority: -- → P2
Whiteboard: [necko-triaged]

(In reply to j.j. from comment #2)

Where can I track the release for this feature? And which versions of FF will this be launched for?

Watch this bug. See Tracking -> Milestone when Status changed to FIXED.

Mozilla may observe how Chrome's rollout goes
https://www.chromium.org/updates/same-site
https://www.chromestatus.com/feature/5088147346030592

Thanks for the information. Which values will Samesite attribute support ? Eg. None, Strict? Will the older versions also support Samesite?

Depends on: 1620717

Please note that Bugzilla is a tracking database for implementers and not the best place to ask general questions, as it interferes with workflow.

Which values will Samesite attribute support ?

See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#SameSite.
For SameSite=Lax by default the above linked Cromestatus entry should have helpful links.

Will the older versions also support Samesite?

Yes, as SameSite is supported since Firefox 60
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#Browser_compatibility

No, if you mean "Treat cookies as SameSite=Lax by default if no SameSite attribute is specified", what this bug is about.

From chrome:

One policy will allow administrators to specify a list of domains on which cookies should be handled according to the legacy behavior (LegacySameSiteCookieBehaviorEnabledForDomainList), and a second policy will provide the option to set the global default to legacy SameSite behavior for all cookies (LegacySameSiteCookieBehaviorEnabled). More details about these policies will follow in future enterprise release notes before the Chrome 79 release.

Will we have the ability to do this on a per domain basis or will we just be able to flip the global default?

What is the name of the pref the controls this?

Depends on: 1622091

In bug 1623313 I have implemented a similar behavior. Pref network.cookie.sameSite.laxByDefault.disabledHosts can be used to have legacy sameSite behavior for a list of hosts.

Depends on: 1623313
Flags: needinfo?(ehsan)
Keywords: meta
Summary: Enable sameSite=lax by default → [meta] Enable sameSite=lax by default
Blocks: COVID-19
Depends on: 1634921
No longer depends on: 1634921
Depends on: 1642832
You need to log in before you can comment on or make changes to this bug.