Closed Bug 1620179 Opened 5 years ago Closed 5 years ago

Cookies don't seem to be propagated with laxByDefault

Categories

(Core :: Networking: Cookies, defect, P2)

Product:
Core
Component:
Networking: Cookies
Version:
75 Branch
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla76
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox73 --- unaffected
firefox74 --- unaffected
firefox75 --- disabled
firefox76 --- fixed

People

(Reporter: petcuandrei, Assigned: baku)

References

(Regression)

Details

(Keywords: regression, Whiteboard: [necko-triaged])

Attachments

(3 files)

bugzilla_bug.gif
658.79 KB, image/gif
Details
mozregression
10.08 KB, text/plain
Details
Bug 1620179 - cookie sameSite=lax by default must have a 2 minute tolerance for unsafe HTTP methods, r?ehsan
47 bytes, text/x-phabricator-request
Details | Review
Attached image bugzilla_bug.gif

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/75.0

Steps to reproduce:

go to https://alpha.uipath.com
log in with user password
kanohem335@mailimail.com
Test123$

Go to services.
Click on TestDefault.
(please see gif)

Actual results:

Got redirected back to alpha.uipath.com

Expected results:

Should have been redirected to https://alpha.uipath.com/testatksyoq/TestDefault

Attached file mozregression

6:16.63 INFO: Last good revision: 862da1751d9fb10d1daa20940ffa722c888078b1 (2020-02-26)
6:16.63 INFO: First bad revision: 5e69563343eb5bb7b8dfaaacc1e634e57d4583a0 (2020-02-27)

Has Regression Range: --- → yes
Has STR: --- → yes

Seems from the regression range the most likely culprit is bug 1616716?

Flags: needinfo?(matt.woodrow)

Ah, or bug 1604212, actually more likely...

Flags: needinfo?(matt.woodrow) → needinfo?(amarchesini)
Regressed by: 1604212

Can you confirm that toggling network.cookie.sameSite.laxByDefault back to false "fixes" it?

Flags: needinfo?(petcuandrei)

I ran it again on Windows which seems to have more builds
2020-03-05T20:38:56: DEBUG : Found commit message:
Bug 1611710. Don't restrict the draw target to the visible area.

Sometimes the painting code will look at the clip which is derived
from the intial size of the surface and not draw if things if they
are outside of it. We want to draw the entire item so use dtRect
instead of visibleRect.

Differential Revision: https://phabricator.services.mozilla.com/D64277

2020-03-05T20:38:56: DEBUG : Did not find a branch, checking all integration branches
2020-03-05T20:38:56: INFO : The bisection is done.
2020-03-05T20:38:56: INFO : Stopped

Flags: needinfo?(petcuandrei)
Regressed by: 1611710

Yes, setting network.cookie.sameSite.laxByDefault to false fixes it

Should this block meta bug 1618610 ?

yes, it should!

Blocks: sameSiteLax-breakage

Ignore my last windows regression. I ran it again and I got a better result. I might have selected something wrong in that run.

2020-03-05T22:19:22: INFO : Narrowed integration regression window from [28a2fba7, 150b8347] (4 builds) to [a14a131c, 150b8347] (2 builds) (~1 steps left)
2020-03-05T22:19:22: DEBUG : Starting merge handling...
2020-03-05T22:19:22: DEBUG : Using url: https://hg.mozilla.org/integration/autoland/json-pushes?changeset=150b8347d28f8a05bddd6cd9ea4b7851490639a1&full=1
2020-03-05T22:19:23: DEBUG : Found commit message:
Bug 1604212 - Enable sameSite=lax by default, r=Ehsan,ahal

Differential Revision: https://phabricator.services.mozilla.com/D63081

2020-03-05T22:19:23: DEBUG : Did not find a branch, checking all integration branches
2020-03-05T22:19:23: INFO : The bisection is done.
2020-03-05T22:19:23: INFO : Stopped

No longer regressed by: 1611710

Bugbug thinks this bug should belong to this component, but please revert this change in case of error.

Component: Untriaged → Password Manager
Product: Firefox → Toolkit
Component: Password Manager → General
Product: Toolkit → Core
Component: General → Networking: Cookies
Summary: Redirect does not work to a new page → Cookies don't seem to be propagated with laxByDefault

Cookie samesite=lax by default, is slowing become the standard. Chrome is rolling out this feature to 25% of users.
What I suggest is to contact uipath.com and ask them to add the attribute: 'sameSite=none'. Peter, do you know who can do it?

Flags: needinfo?(amarchesini) → needinfo?(stpeter)

I work at UiPath.
I forced same site lax on Chrome. I even waited 2 minutes before clicking the link. Are you sure this is not a Firefox issue and it's a web site issue?

Flags: needinfo?(amarchesini)
Assignee: nobody → amarchesini
Flags: needinfo?(amarchesini)
Flags: needinfo?(stpeter)

Should we add the SameSite=none or is this a Firefox bug?
Should I wait some more?

Priority: -- → P2
Whiteboard: [necko-triaged]

This is a bug in firefox. I wrote a fix, it should be reviewed today and it should be available in nightly in 1 or 2 days max.

Pushed by amarchesini@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/f50793e86245 cookie sameSite=lax by default must have a 2 minute tolerance for unsafe HTTP methods, r=ckerschb

https://hg.mozilla.org/mozilla-central/rev/f50793e86245

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox76: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla76

FYI... fixed my issue with HBOGo.com. See Bug 1618336

Regressions: 1626696
Flags: qe-verify+
Regressions: 1646727
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: