SameSite Implementation is wrong or log message is misleading
Categories
(Core :: Networking: Cookies, defect, P3)
Tracking
()
Tracking | Status | |
---|---|---|
firefox78 | --- | unaffected |
firefox79 | --- | affected |
firefox80 | --- | affected |
People
(Reporter: simon.schatka, Unassigned)
References
Details
(Whiteboard: [necko-triaged])
Attachments
(3 files)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Steps to reproduce:
I went to one of our (internal) pages, but you can also see it on reddit.com.
Basically what is happening is a missing SameSite Attribute, when setting a cookie.
Actual results:
It shows the following message:
- Some cookies are misusing the recommended “sameSite“ attribute 4
- Cookie “gdpr_status” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. To know more about the “sameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite
Expected results:
According to your own documentation(https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) "Lax" should be the default "in modern browsers"(which I would argue, Firefox is)
So either the default is not really "Lax" or the warning message should show something like: SameSite Attribute was missing, so it has been defaulted to "Lax". Consider setting this value explicitly. See <mozilla documentation> for further information.
Comment 1•4 years ago
|
||
Hi,
Thanks Simon for the report . I can also reproduce on my end using win 10 pro.
In nightly 80.0a1 (2020-07-22) (32-bit), it shows:
Some cookies are misusing the “SameSite“ attribute, so it won’t work as expected 4
Cookie “aax-vsid” has “SameSite” policy set to “Lax” because it is missing a “SameSite” attribute, and “SameSite=Lax” is the default value for this attribute. aax.js
Cookie “aax-vsid” has “SameSite” policy set to “Lax” because it is missing a “SameSite” attribute, and “SameSite=Lax” is the default value for this attribute. aax.js
Cookie “mnet_session_depth” has “SameSite” policy set to “Lax” because it is missing a “SameSite” attribute, and “SameSite=Lax” is the default value for this attribute. aax.js:2:92364
Cookie “__aaxsc” has “SameSite” policy set to “Lax” because it is missing a “SameSite” attribute, and “SameSite=Lax” is the default value for this attribute. aax.js:2:92364
For release 78.0.2 (64-bit) it shows
Some cookies are misusing the recommended “sameSite“ attribute 3
Cookie “GoogleAdServingTest” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. To know more about the “sameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite
And beta 79.0 (64-bit)
Some cookies are misusing the “sameSite“ attribute, so it won’t work as expected 2
Cookie “mnet_session_depth” has “sameSite” policy set to “lax” because it is missing a “sameSite” attribute, and “sameSite=lax” is the default value for this attribute. aax.js:2:92360
Cookie “__aaxsc” has “sameSite” policy set to “lax” because it is missing a “sameSite” attribute, and “sameSite=lax” is the default value for this attribute. aax.js:2:92360
I will move this over to a component so developers can take a look over it. If is not the correct component please feel free to change it to an appropriate one.
Best regards, Clara.
Comment 2•4 years ago
|
||
Comment 3•4 years ago
|
||
Comment 4•4 years ago
|
||
Comment 5•4 years ago
|
||
Closing as invalid, because the message says exactly what the problem is. If you believe Firefox handles incorrectly sameSite=none without secure attribute, include the whole response of the server that triggered this message.
Reporter | ||
Comment 6•4 years ago
|
||
Your own documentation is showing that if SameSite is not specified, it will be defaulted to "Lax". So why is it showing a log message that it soon will be rejected because of the missing Secure Attribute?
Lax(which should be the default value) does NOT require the Secure Attribute.
Comment 7•4 years ago
|
||
Honza, please check the console warnings and consider some changes, because people are confused by them. The current code prints the warnings according to current value of preference network.cookie.sameSite.laxByDefault, but MDN text is formulated so that laxByDefault will be true soon.
Comment 8•4 years ago
|
||
Few notes first, then I look into this a bit more:
network.cookie.sameSite.laxByDefault
istrue
by default only for Nightly,false
for other update channels (not clear witch channel was used to reproduce the problem from comment 0).- there is also an experiment running on Beta channel, so the value is/may be random on that update channel
Please check if this consistent with the screenshots and your findings and please make clear which one you consider as the "correct" one. If for Nightly, then this is WONTFIX.
Reporter | ||
Comment 9•4 years ago
|
||
As already selected when I created the issue, I am using Firefox 79(79.0 (64-bit))
Comment 10•4 years ago
|
||
(In reply to simon.schatka from comment #9)
As already selected when I created the issue, I am using Firefox 79(79.0 (64-bit))
So Release channel. There the value is false
. No default to lax.
Updated•4 years ago
|
Comment 11•3 years ago
|
||
Appears to still be an issue on release channel, Firefox 89.0.1 (64-bit).
The warning message in question (Cookie “...” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute.
) appears to be misleading:
- Cookies without a SameSite attribute are not currently rejected
- When
network.cookie.sameSite.laxByDefault
is set totrue
, the warning message changes to what would be expected:Cookie “...” has “SameSite” policy set to “Lax” because it is missing a “SameSite” attribute, and “SameSite=Lax” is the default value for this attribute.
- By https://hacks.mozilla.org/2020/08/changes-to-samesite-cookie-behavior/, it appears the intention is to first set
network.cookie.sameSite.laxByDefault
totrue
("When not specified, cookies will be treated as SameSite=Lax by default"). - Therefore, it appears there is no legitimate future situation where cookies without a SameSite attribute will be rejected - and so the warning message in question is misleading.
Updated•2 years ago
|
Comment 13•10 months ago
|
||
The severity field for this bug is set to S4
. However, the following bug duplicate has higher severity:
- Bug 1873758: S3
:manuel, could you consider increasing the severity of this bug to S3
?
For more information, please visit BugBot documentation.
Updated•10 months ago
|
Description
•