Closed Bug 1620179 Opened 2 years ago Closed 2 years ago

Cookies don't seem to be propagated with laxByDefault


(Core :: Networking: Cookies, defect, P2)

75 Branch



Tracking Status
firefox-esr68 --- unaffected
firefox73 --- unaffected
firefox74 --- unaffected
firefox75 --- disabled
firefox76 --- fixed


(Reporter: petcuandrei, Assigned: baku)


(Blocks 1 open bug, Regression)


(Keywords: regression, Whiteboard: [necko-triaged])


(3 files)

Attached image bugzilla_bug.gif

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/75.0

Steps to reproduce:

go to
log in with user password

Go to services.
Click on TestDefault.
(please see gif)

Actual results:

Got redirected back to

Expected results:

Should have been redirected to

Attached file mozregression

6:16.63 INFO: Last good revision: 862da1751d9fb10d1daa20940ffa722c888078b1 (2020-02-26)
6:16.63 INFO: First bad revision: 5e69563343eb5bb7b8dfaaacc1e634e57d4583a0 (2020-02-27)

Has Regression Range: --- → yes
Has STR: --- → yes

Seems from the regression range the most likely culprit is bug 1616716?

Flags: needinfo?(matt.woodrow)

Ah, or bug 1604212, actually more likely...

Flags: needinfo?(matt.woodrow) → needinfo?(amarchesini)
Regressed by: 1604212

Can you confirm that toggling network.cookie.sameSite.laxByDefault back to false "fixes" it?

Flags: needinfo?(petcuandrei)

I ran it again on Windows which seems to have more builds
2020-03-05T20:38:56: DEBUG : Found commit message:
Bug 1611710. Don't restrict the draw target to the visible area.

Sometimes the painting code will look at the clip which is derived
from the intial size of the surface and not draw if things if they
are outside of it. We want to draw the entire item so use dtRect
instead of visibleRect.

Differential Revision:

2020-03-05T20:38:56: DEBUG : Did not find a branch, checking all integration branches
2020-03-05T20:38:56: INFO : The bisection is done.
2020-03-05T20:38:56: INFO : Stopped

Flags: needinfo?(petcuandrei)
Regressed by: 1611710

Yes, setting network.cookie.sameSite.laxByDefault to false fixes it

Should this block meta bug 1618610 ?

yes, it should!

Ignore my last windows regression. I ran it again and I got a better result. I might have selected something wrong in that run.

2020-03-05T22:19:22: INFO : Narrowed integration regression window from [28a2fba7, 150b8347] (4 builds) to [a14a131c, 150b8347] (2 builds) (~1 steps left)
2020-03-05T22:19:22: DEBUG : Starting merge handling...
2020-03-05T22:19:22: DEBUG : Using url:
2020-03-05T22:19:23: DEBUG : Found commit message:
Bug 1604212 - Enable sameSite=lax by default, r=Ehsan,ahal

Differential Revision:

2020-03-05T22:19:23: DEBUG : Did not find a branch, checking all integration branches
2020-03-05T22:19:23: INFO : The bisection is done.
2020-03-05T22:19:23: INFO : Stopped

No longer regressed by: 1611710

Bugbug thinks this bug should belong to this component, but please revert this change in case of error.

Component: Untriaged → Password Manager
Product: Firefox → Toolkit
Component: Password Manager → General
Product: Toolkit → Core
Component: General → Networking: Cookies
Summary: Redirect does not work to a new page → Cookies don't seem to be propagated with laxByDefault

Cookie samesite=lax by default, is slowing become the standard. Chrome is rolling out this feature to 25% of users.
What I suggest is to contact and ask them to add the attribute: 'sameSite=none'. Peter, do you know who can do it?

Flags: needinfo?(amarchesini) → needinfo?(stpeter)

I work at UiPath.
I forced same site lax on Chrome. I even waited 2 minutes before clicking the link. Are you sure this is not a Firefox issue and it's a web site issue?

Flags: needinfo?(amarchesini)
Assignee: nobody → amarchesini
Flags: needinfo?(amarchesini)
Flags: needinfo?(stpeter)

Should we add the SameSite=none or is this a Firefox bug?
Should I wait some more?

Priority: -- → P2
Whiteboard: [necko-triaged]

This is a bug in firefox. I wrote a fix, it should be reviewed today and it should be available in nightly in 1 or 2 days max.

Pushed by
cookie sameSite=lax by default must have a 2 minute tolerance for unsafe HTTP methods, r=ckerschb
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla76

FYI... fixed my issue with See Bug 1618336

Duplicate of this bug: 1618336
Regressions: 1626696
Regressions: 1646727
You need to log in before you can comment on or make changes to this bug.