Closed Bug 1749558 Opened 3 years ago Closed 3 years ago

samesite Lax and Strict cookies are sent in cross-scheme subresource requests

Categories

(Core :: Networking: Cookies, defect, P1)

Product:
Core
Component:
Networking: Cookies
Version:
Firefox 96
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1748693

People

(Reporter: mpoliwczak34, Assigned: freddy)

Details

Attachments

(1 file)

img-src-subresource.png
87.64 KB, image/png
Details
Attached image img-src-subresource.png

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0

Steps to reproduce:

So i created a http server with two endpoints:
http://localhost:1111/10set-cookie
-> Set-Cookie: lax=lax; SameSite=Lax
-> Set-Cookie: strict=strict; SameSite=Strict

https://localhost:3333/20set-cookie
-> Set-Cookie: 2lax=lax; SameSite=Lax
-> Set-Cookie: 2strict=strict; SameSite=Strict

I visited http://localhost:1111/10set-cookie and https://localhost:3333/20set-cookie. Then I injected into the DOM of http://localhost:1111 a img src pointing to https://localhost:3333

Actual results:

2lax=lax and 2strict=strict cookies were included with the subresource request to https://localhost:3333.

Expected results:

They should not be included (as in chromium).

Component: Privacy: Anti-Tracking → Networking: Cookies

(In reply to Christoph Kerschbaumer [:ckerschb] from comment #3)

(In reply to Dragana Damjanovic [:dragana] from comment #2)

Christoph, can you find someone to take a look at?

Niklas is on PTO this week, but I'll make sure he takes a look right when he is back on his desk.

302 to Freddy since Niklas is out sick ...

Flags: needinfo?(fbraun)

I am very intrigued by the timing on this. This was filed apparently using "Firefox 96", a few days before we actually shipped. This is certainly possible if you're using the Beta version (the last "Beta" is the release candidate) but I want to make sure that's the case.

On the date you filed, in release Firefox 95 your results would make perfect sense: we were not enforcing "schemeful" samesite cookies.

In Beta Fiefox 96 we should have been -- the results are not what we expected

A few days after the release we had to turn off "schemeful" enforcement again because of site breakage, and again I'd expect your reported results.

At the very least we need to re=enable schemeful so this depends on bug 1750972. But you can test by manually reenabling it or by using Firefox nightly

Depends on: 1750972

"Localhost" is a strange beast -- it's quite possible that there's a special rule (in Firefox) that says http://localhost is the same as https://localhost, but on some named domain it would be enforced.

Flags: needinfo?(dveditz)

I was using FIrefox 96, I don't think it is a beta version. I upgraded it from arch linux repo after I saw a post on reddit telling that firefox 96 was released.
I tested it also using http and https at example.com and it worked the same way as with localhost. I remember that schemeful cookies was turned on in about:config, also while redirecting to pages that caused top-level navigation cookies were included as expected (only "2lax" http -> https redirect), but subresource requests worked differently.

Also When schemeful cookies would be turned off subresource request would include ALL cookies, that is lax, strict, 2lax and 2strict.

Tested it again at example.com, cookies created using document.cookie, after enabling schemeful cookies in about:config.

http://example.com (lax and strict cookies)
https://example.com (2lax and 2strict cookies)

Subresource (img src) request from http://example.com to https://example.com
https://imgur.com/a/JiAxFUc
-> First image schemeful cookies off
-> Second image schemeful cookies on

Firefox 96 was released at January 11, 2022 and I reported it at January 11, 2022 :)

(In reply to Daniel Veditz [:dveditz] from comment #6)

"Localhost" is a strange beast -- it's quite possible that there's a special rule (in Firefox) that says http://localhost is the same as https://localhost, but on some named domain it would be enforced.

As an aside, I think we're using "potentially trustworthy origin" for secure cookies, which returns true for "localhost". But apparently this bug is not supposed to be about that.

Flags: needinfo?(fbraun)

(In reply to mateusz from comment #9)

Firefox 96 was released at January 11, 2022 and I reported it at January 11, 2022 :)

Ah, I thought we released on January 12.

Anyway, our schemeful checks are definitely doing the wrong thing and that's why we had to immediately turn them off after the release. We were blocking cookies we shouldn't, and not blocking cookies we should. I think most of this is covered by what Freddy is patching in bug 1748693. Localhost specifically might remain an additional problem because of the "Potentially trustworthy origin" check. We can look at that when 1748693 is done.

Status: UNCONFIRMED → NEW
Depends on: 1748693
Ever confirmed: true
Flags: needinfo?(ngogge)
Flags: needinfo?(dveditz)
Summary: samesite Lax and Strict cookies are send in cross-scheme subresource requests → samesite Lax and Strict cookies are sent in cross-scheme subresource requests
Assignee: nobody → fbraun

marking as disabled for fx96 since we set sameSite.laxByDefault and sameSite.noneRequiresSecure to false via a pref flip

status-firefox96: --- → disabled

Do we need this bug? For non-localhost this is a dupe of bug 1748693 (and also depends on the "turn schemeful back on" bug). Does it need to morph into something about localhost?

When we fix bug 1748693 and turn the laxByDefault and schemeful checks back on then localhost, specifically and uniquely, will still work like the original description. I'm not sure that's wrong enough for us to want to fix. The reason for the schemeful check is to protect a secure site's cookies from going over insecure transport, and that doesn't happen with localhost.

I would vote "wontfix" on the localhost edgecase -- not worth the code complication to tick off technical but meaningless spec compliance for a situation that's not putting any users at risk.

Flags: needinfo?(fbraun)

The point of this bug was that the same behavior as shown with localhost existed with non-localhost domains.
Fixing it for localhost does no make sens for me either.

Thanks mateusz. Freddy's patch in bug 1748693 will fix this problem (for sites other than localhost)

There's an edge-case where document.cookie can show more cookies than it should in a cross-scheme nested document, spun out into bug 1756213

Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(fbraun)
Resolution: --- → DUPLICATE
No longer blocks: schemeful-samesite
status-firefox96: disabled → ---
No longer depends on: 1748693, 1750972
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: