Closed Bug 1628248 Opened 4 years ago Closed 4 years ago

Non SameSite=None cookies are displayed as SameSite=None on Storage panel

Categories

(DevTools :: Storage Inspector, defect)

Product:
DevTools
Component:
Storage Inspector
Version:
74 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: koba0004, Unassigned)

Details

Attachments

(1 file)

Screen Shot 2020-04-08 at 17.42.46.png
1.19 MB, image/png
Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:74.0) Gecko/20100101 Firefox/74.0

Steps to reproduce:

I've set cookies with SameSite=None(foo) and without the SameSite(foo2) attribute and then confirmed the results on the Storage panel on the DeveloperTool.

  1. Access https://probable-oxidized-leather.glitch.me/ with Firefox 74
  2. Open Storage panel
  3. See the cookie value for probable-oxidized-leather.glitch.me

The source code of the site is here.
https://glitch.com/edit/#!/probable-oxidized-leather

Firefox Developer Edition(75.0b11) is also the same behavior.

Actual results:

Both cookies(foo and foo2) were displayed as SameSite=None.
Cookies displayed on the Network panel seem to be correct, only foo2 cookie is displayed as SameSite attribute is None.

See the attached file.

Expected results:

foo cookie shouldn't be displayed as SameSite=None.

Bugbug thinks this bug should belong to this component, but please revert this change in case of error.

Component: Untriaged → Netmonitor
Product: Firefox → DevTools

I might have misunderstood.
Is this cookie value a calculated value?

I guess that Firefox's default SameSite attribute is None, so Developer Tool has shown None even if the cookie attribute is not specified.
Is this correct?

Component: Netmonitor → Storage Inspector

Hi, thanks for the report!

(In reply to koba0004 from comment #2)

I might have misunderstood.
Is this cookie value a calculated value?

I guess that Firefox's default SameSite attribute is None, so Developer Tool has shown None even if the cookie attribute is not specified.
Is this correct?

Yes this is correct, see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite . Especially the compatibility table at the end, you'll see that Firefox wants to default to Lax, but this only enabled on Nightly builds for now.

You can follow the progress of enabling Lax by default on Bug 1617609. It seems to be making progress.
Note that you can also flip the preference network.cookie.sameSite.laxByDefault in about:config in order to test this locally.

Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: