Open Bug 1651119 (schemeful-samesite) Opened 2 years ago Updated 7 days ago

[meta] Enable cookie sameSite schemeful

Categories

(Core :: Networking: Cookies, task, P3)

task

Tracking

()

People

(Reporter: baku, Unassigned)

References

(Depends on 5 open bugs, Blocks 1 open bug)

Details

(Keywords: meta, Whiteboard: [necko-triaged])

https://github.com/sbingler/schemeful-same-site:
"Modify SameSite’s implementation in the user agent to consider origins with different schemes as cross-site. Thus https://site.example and http://site.example would now be considered cross-site.
Part of this effort will be to update Incrementally Better Cookies to match the intended behavior."

Depends on: 1651120
Severity: -- → N/A
Priority: -- → P2
Whiteboard: [necko-triaged]
Blocks: cookie
See Also: → 1687370
See Also: → 1692285
Priority: P2 → P3
Alias: schemeful-samesite
Depends on: 1687370
See Also: 1687370

The behavior of schemeful-samesite as found in Nightly seems to be different to what is described in https://github.com/sbingler/schemeful-same-site.

In particular, this part does not seem to hold:

This means that both secure and insecure origins will retain access to the same set of cookies. I.e., if a user visits http://site.example with http://site.example/image.jpg and the response sets a cookie then when that user visits https://site.example the request to https://site.example/image.jpg will still send that same cookie.

In Nightly, when a cookie is set from https://site.example.com/, when I visit http://site.example.com/ I get the following warning:

Cookie “foo” has been treated as cross-site against “http://test.example.com/” because the scheme does not match.

See Also: → 1665794
Webcompat Priority: --- → ?
Webcompat Priority: ? → ---
See Also: → 1744945
No longer depends on: 1746684
Depends on: 1748693
Depends on: 1750972
Depends on: 1749558
Depends on: 1751435
You need to log in before you can comment on or make changes to this bug.