Closed Bug 1750264 Opened 4 months ago Closed 4 months ago

Disable cookie sameSite schemeful in Firefox 96

Categories

(Core :: Networking, task)

task

Tracking

()

VERIFIED FIXED
Tracking Status
firefox96 + verified

People

(Reporter: RyanVM, Assigned: RyanVM)

References

Details

Attachments

(1 file)

Due to regressions reported in the wild tracked in bug 1748693, we're shipping a Normandy pref flip to users on 96.0/96.0.1 to disable the feature (bug 1750257). For 96.0.2, we need to ship this in-tree as well.

Assignee: nobody → ryanvm
Status: NEW → ASSIGNED

Comment on attachment 9259151 [details]
Bug 1750264 - Disable cookie sameSite schemeful in Firefox 96. r=dveditz

Beta/Release Uplift Approval Request

  • User impact if declined: Users may encounter random site bustage
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: Yes
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Just a pref flip that we're already shipping a Normandy recipe for
  • String changes made/needed:
Attachment #9259151 - Flags: approval-mozilla-release?
Flags: qe-verify+

Comment on attachment 9259151 [details]
Bug 1750264 - Disable cookie sameSite schemeful in Firefox 96. r=dveditz

Approved for 96.0.2

Attachment #9259151 - Flags: approval-mozilla-release? → approval-mozilla-release+
Status: ASSIGNED → RESOLVED
Closed: 4 months ago
Resolution: --- → FIXED
Regressions: 1750295
Regressions: 1750296
QA Whiteboard: [qa-triaged]

Verified on Firefox 96.0.2 Treherder build from https://treeherder.mozilla.org/jobs?repo=mozilla-release&revision=65f109f099c106c182068d87031df6bcdb93d349&searchStr=build, against Windows 10, Ubuntu 20 and macOS 11.4, and I can confirm the followings:

  • config paramter is network.cookie.sameSite.schemeful= false
  • No Remote feature related to "bug-1750257-rollout-pref-off" is displayed under about:support
  • One Normandy preferecences_rollout "bug-1750257-rollout-pref-off-networkcookiesamesiteschemeful-in-release-96-96" event is graduate.
Status: RESOLVED → VERIFIED
QA Whiteboard: [qa-triaged]
Flags: qe-verify+
See Also: → 1751435

Docs team updated the docs to indicate this was supported in https://github.com/mdn/content/issues/10857#issuecomment-982280050 . This sounds like you've removed support again.

To be clear, my understanding is that the change is that network.cookie.sameSite.laxByDefault and network.cookie.sameSite.schemeful will now be back to false rather than true by default - is that correct?

Is there any plan to re-enable these?

Note:

Flags: needinfo?(ryanvm)
Flags: needinfo?(ryanvm) → needinfo?(fbraun)

There is a plan to re-enable, but it will take some time. The bugs will be under https://bugzilla.mozilla.org/show_bug.cgi?id=1617609

Flags: needinfo?(fbraun)

Hi @freddy,
Can you confirm the bit above?

"To be clear, my understanding is that the change is that network.cookie.sameSite.laxByDefault and network.cookie.sameSite.schemeful will now be back to false rather than true by default - is that correct?"

Yes. we disabled the three prefs sameSite=lax, sameSite noneRequiresSecure, and sameSite schemeful for release and beta.

Thanks very much. FYI I've rolled back FF96 changes in docs now. Looking forward to watching this roll back in again.

You need to log in before you can comment on or make changes to this bug.