Open Bug 1653518 Opened 4 years ago Updated 10 months ago

SameSite Implementation is wrong or log message is misleading

Categories

(Core :: Networking: Cookies, defect, P3)

79 Branch
defect

Tracking

()

Tracking Status
firefox78 --- unaffected
firefox79 --- affected
firefox80 --- affected

People

(Reporter: simon.schatka, Unassigned)

References

Details

(Whiteboard: [necko-triaged])

Attachments

(3 files)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36

Steps to reproduce:

I went to one of our (internal) pages, but you can also see it on reddit.com.
Basically what is happening is a missing SameSite Attribute, when setting a cookie.

Actual results:

It shows the following message:

  • Some cookies are misusing the recommended “sameSite“ attribute 4
  • Cookie “gdpr_status” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. To know more about the “sameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

Expected results:

According to your own documentation(https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) "Lax" should be the default "in modern browsers"(which I would argue, Firefox is)

So either the default is not really "Lax" or the warning message should show something like: SameSite Attribute was missing, so it has been defaulted to "Lax". Consider setting this value explicitly. See <mozilla documentation> for further information.

Hi,
Thanks Simon for the report . I can also reproduce on my end using win 10 pro.

In nightly 80.0a1 (2020-07-22) (32-bit), it shows:

Some cookies are misusing the “SameSite“ attribute, so it won’t work as expected 4
Cookie “aax-vsid” has “SameSite” policy set to “Lax” because it is missing a “SameSite” attribute, and “SameSite=Lax” is the default value for this attribute. aax.js
Cookie “aax-vsid” has “SameSite” policy set to “Lax” because it is missing a “SameSite” attribute, and “SameSite=Lax” is the default value for this attribute. aax.js
Cookie “mnet_session_depth” has “SameSite” policy set to “Lax” because it is missing a “SameSite” attribute, and “SameSite=Lax” is the default value for this attribute. aax.js:2:92364
Cookie “__aaxsc” has “SameSite” policy set to “Lax” because it is missing a “SameSite” attribute, and “SameSite=Lax” is the default value for this attribute. aax.js:2:92364

For release 78.0.2 (64-bit) it shows

Some cookies are misusing the recommended “sameSite“ attribute 3
Cookie “GoogleAdServingTest” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. To know more about the “sameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

And beta 79.0 (64-bit)

Some cookies are misusing the “sameSite“ attribute, so it won’t work as expected 2
Cookie “mnet_session_depth” has “sameSite” policy set to “lax” because it is missing a “sameSite” attribute, and “sameSite=lax” is the default value for this attribute. aax.js:2:92360
Cookie “__aaxsc” has “sameSite” policy set to “lax” because it is missing a “sameSite” attribute, and “sameSite=lax” is the default value for this attribute. aax.js:2:92360

I will move this over to a component so developers can take a look over it. If is not the correct component please feel free to change it to an appropriate one.

Best regards, Clara.

Status: UNCONFIRMED → NEW
Component: Untriaged → Networking: Cookies
Ever confirmed: true
Product: Firefox → Core

Closing as invalid, because the message says exactly what the problem is. If you believe Firefox handles incorrectly sameSite=none without secure attribute, include the whole response of the server that triggered this message.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → INVALID

Your own documentation is showing that if SameSite is not specified, it will be defaulted to "Lax". So why is it showing a log message that it soon will be rejected because of the missing Secure Attribute?

Lax(which should be the default value) does NOT require the Secure Attribute.

Status: RESOLVED → REOPENED
Resolution: INVALID → ---

Honza, please check the console warnings and consider some changes, because people are confused by them. The current code prints the warnings according to current value of preference network.cookie.sameSite.laxByDefault, but MDN text is formulated so that laxByDefault will be true soon.

Severity: -- → S4
Flags: needinfo?(honzab.moz)
Priority: -- → P3
Whiteboard: [necko-triaged]

Few notes first, then I look into this a bit more:

  • network.cookie.sameSite.laxByDefault is true by default only for Nightly, false for other update channels (not clear witch channel was used to reproduce the problem from comment 0).
  • there is also an experiment running on Beta channel, so the value is/may be random on that update channel

Please check if this consistent with the screenshots and your findings and please make clear which one you consider as the "correct" one. If for Nightly, then this is WONTFIX.

As already selected when I created the issue, I am using Firefox 79(79.0 (64-bit))

(In reply to simon.schatka from comment #9)

As already selected when I created the issue, I am using Firefox 79(79.0 (64-bit))

So Release channel. There the value is false. No default to lax.

Flags: needinfo?(honzab.moz)

Appears to still be an issue on release channel, Firefox 89.0.1 (64-bit).

The warning message in question (Cookie “...” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute.) appears to be misleading:

  1. Cookies without a SameSite attribute are not currently rejected
  2. When network.cookie.sameSite.laxByDefault is set to true, the warning message changes to what would be expected: Cookie “...” has “SameSite” policy set to “Lax” because it is missing a “SameSite” attribute, and “SameSite=Lax” is the default value for this attribute.
  3. By https://hacks.mozilla.org/2020/08/changes-to-samesite-cookie-behavior/, it appears the intention is to first set network.cookie.sameSite.laxByDefault to true ("When not specified, cookies will be treated as SameSite=Lax by default").
  4. Therefore, it appears there is no legitimate future situation where cookies without a SameSite attribute will be rejected - and so the warning message in question is misleading.
See Also: → sameSiteLax-breakage
Status: REOPENED → NEW
Duplicate of this bug: 1873758

The severity field for this bug is set to S4. However, the following bug duplicate has higher severity:

:manuel, could you consider increasing the severity of this bug to S3?

For more information, please visit BugBot documentation.

Flags: needinfo?(manuel)
Severity: S4 → S3
Flags: needinfo?(manuel)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: