Closed Bug 1744945 Opened 4 years ago Closed 4 years ago

Add scheme checks to CookieCommons::IsSameSiteForeign for "Schemeful SameSite"

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
97 Branch
Tracking Flags:
Tracking Status
firefox96 --- fixed
firefox97 --- fixed

People

(Reporter: n.goeggi, Assigned: n.goeggi)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Bug 1744945: Add scheme checks to CookieCommons::IsSameSiteForeign for "Schemeful SameSite". r=ckerschb,valentin!
48 bytes, text/x-phabricator-request
diannaS
: approval-mozilla-beta+
Details | Review

We are falling the following WPT because we are not comparing schemes when determining if a request is "same site foreign".
cookies/schemeful-same-site/schemeful-navigation.tentative.html

If we set SameSite=Strict cookies on http://example.com and navigate to https://example.com we won't send the strict cookies but if we then navigate to http://example.com we will send the cookies even though that classifies as a cross-site request because the schemes are not the same (https->http).

We currently only compare the scheme of a request with the scheme that was used when setting the cookie, but we should also compare the host scheme with the request scheme.

See Also: → schemeful-samesite
Attachment #9254292 - Attachment description: Bug 1744945: Add scheme checks to CookieCommons::IsSameSiteForeign for "Schemeful SameSite". r=ckerschb!,dragana! → Bug 1744945: Add scheme checks to CookieCommons::IsSameSiteForeign for "Schemeful SameSite". r=ckerschb,valentin!

Comment on attachment 9254292 [details]
Bug 1744945: Add scheme checks to CookieCommons::IsSameSiteForeign for "Schemeful SameSite". r=ckerschb,valentin!

Beta/Release Uplift Approval Request

  • User impact if declined: We are going to ship SameSite Cookies in Firefox 96. Even though schemeful samesite cookies are an incremental improvement to SameSite Cookies they (schemeful samesite cookies) would be not working correctly without that patch uplifted.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): We crafted a patch that is completely encapsulated within the SameSite Cookie code and does not affect antyhing else. In return we consider the patch to be uplifted as low risk.
  • String changes made/needed: no
Attachment #9254292 - Flags: approval-mozilla-beta?
Pushed by mozilla@christophkerschbaumer.com: https://hg.mozilla.org/integration/autoland/rev/9a55ce1e0df8 Add scheme checks to CookieCommons::IsSameSiteForeign for "Schemeful SameSite". r=ckerschb,valentin

https://hg.mozilla.org/mozilla-central/rev/9a55ce1e0df8

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox97: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 97 Branch

Comment on attachment 9254292 [details]
Bug 1744945: Add scheme checks to CookieCommons::IsSameSiteForeign for "Schemeful SameSite". r=ckerschb,valentin!

Approved for 96.0b5

Attachment #9254292 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Regressions: 1787206
Regressions: 1800273
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: