Will Cookies set with Samesite=None be treated as None or Lax, when samesite=Lax is enforced?
Categories
(Core :: Networking: Cookies, defect)
Tracking
()
People
(Reporter: ritikashetty543, Unassigned)
Details
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.43 Safari/537.36
Steps to reproduce:
Set a response cookie with Samesite=None
Actual results:
Firefox stored the cookie with Samesite=unset
Expected results:
Currently on FF v73, when a cookie is set with Samesite=None, it is stored with Samesite=unset on the browser. We wanted to check if we start setting None (ahead of time) and when FF new version starts defaulting to LAX by default ; will our old cookies (which are showing as Samesite=Unset right now) get marked as None (as we intend) or Lax?
Comment 1•5 years ago
|
||
Bugbug thinks this bug should belong to this component, but please revert this change in case of error.
Comment 2•5 years ago
|
||
How did you confirm that the sameSite attribute is unset? Using Firefox Developer Tools?
Comment 3•5 years ago
|
||
(In reply to Masatoshi Kimura [:emk] from comment #2)
How did you confirm that the sameSite attribute is unset? Using Firefox Developer Tools?
"unset" is not a valid value since bug 1551798. Now the possible values are "none", "lax" and "strict".
Any existing cookie with sameSite "none" (it was "unset") will be treated as "none".
We enable "lax" by default only for new cookies.
Yes, I checked the value using developer tools. We are setting the Samesite value as 'None' in the response cookies, however when I check the samesite value under the storage tab I see it as 'Unset'. This happens on version 73
For version 74 - Samesite is set to 'None' as expected.
Comment 5•5 years ago
|
||
That is only a DevTools UI issue. The backend would record the sameSite attribute correctly.
Description
•