Closed Bug 1750972 Opened 3 years ago Closed 2 years ago

Re-enable same-site schemeful

Categories

(Core :: Networking: Cookies, task, P1)

Product:
Core
Component:
Networking: Cookies
Version:
Firefox 96
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
104 Branch
Tracking Flags:
Tracking Status
relnote-firefox --- -
firefox97 - wontfix
firefox98 + wontfix
firefox104 --- fixed

People

(Reporter: freddy, Assigned: tschuster)

References

(Blocks 1 open bug)

Details

(Whiteboard: [necko-triaged])

Attachments

(2 files, 1 obsolete file)

Bug 1750972 - Enable same-site schemeful by default. r?freddyb
48 bytes, text/x-phabricator-request
Details | Review
Bug 1750972 - Remove the same-site schemeful experimental feature. r?#fluent-reviewers,#preferences-reviewers
48 bytes, text/x-phabricator-request
Details | Review

+++ This bug was initially created as a clone and follow-up of Bug #1748693 +++

Bug 1748693 is only a hotfix. This is the second part from bug 1748693 comment 13:

There is still the potential for cookie injection attacks from http://insecure.site.example framing https://good.site.example that "schemeful samesite" (along with "lax by default") was intended to prevent. There are several existing cookie features that https://good.site.example could be using for protection, like secure cookies and cookie prefixes, but "lax by default" is trying to help sites that haven't thought about these issues and schemeful is part of that.

Blocks: 1749558

Note that we've only disabled samesite schemeful on Fx96 at the moment. Is this bug indication that we should be disabling it everywhere until this is resolved?

Flags: needinfo?(fbraun)

I'm wondering if we should put it behind EARLY_BETA_OR_EARLIER for 97+ for the time-being.

See Also: → 1751435

Not sure if we'll be ready to do this for 98 or not, but 97 isn't going to happen.

status-firefox97: affectedwontfix
tracking-firefox97: +-
Assignee: nobody → fbraun
Component: Networking → Networking: Cookies
Whiteboard: [necko-triaged]

(In reply to Ryan VanderMeulen [:RyanVM] from comment #1)

Note that we've only disabled samesite schemeful on Fx96 at the moment. Is this bug indication that we should be disabling it everywhere until this is resolved?

I shoulda removed this flag much earlier. This happened in bug 1751435.

Flags: needinfo?(fbraun)

Re-enabling this is urgent, but it's not a defect. We won't make Firefox 98 either, so marking that as wontfix.

Type: defect → task
status-firefox98: affectedwontfix
No longer blocks: 1749558
Assignee: fbraun → tschuster
Summary: Re-enable schemeful samesite → Re-enable same-site schemeful and noneRequiresSecure

We decided to re-enable network.cookie.sameSite.schemeful and network.cookie.sameSite.noneRequiresSecure even without necessarily enabling lax-by-default. This spreads the risks around multiple releases.

Depends on: 1777282

Depends on D150602

Attachment #9283442 - Attachment description: WIP: Bug 1750972 - Remove tests setting noneRequiresSecure = true → Bug 1750972 - Remove tests setting noneRequiresSecure = true. r?freddyb
Attachment #9283443 - Attachment description: WIP: Bug 1750972 - Remove same-site schemeful and noneRequiresSecure experimental features → Bug 1750972 - Remove same-site schemeful and noneRequiresSecure experimental features. r?#fluent-reviewers,#preferences-reviewers

https://hg.mozilla.org/mozilla-central/rev/b1a8adcb9099
https://hg.mozilla.org/mozilla-central/rev/3b7d15317952
https://hg.mozilla.org/mozilla-central/rev/90d51383665c

Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox104: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 104 Branch
Regressions: 1778136

Release Note Request (optional, but appreciated)
[Why is this notable]: Sites using SameSite=None or different schemes for cookies might break.
[Affects Firefox for Android]: Yes
[Suggested wording]: Cookies with SameSite=None must now also specify the Secure attribute. Cookies are now only considered same-site if they use the same scheme (http or https). (This is heavily inspired by the docs in MDN below)
[Links (documentation, blog post, etc)]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite

relnote-firefox: --- → ?

In bug 1679318 we saw site breakage caused by none-requires-secure. SameSite=None is also less useful without also shipping lax-by-default, because the website can just specify no SameSite attribute at all.

On the schemeful side I realized that with bug 1756213 still missing we are actually missing at least on piece of the implementation, which we should probably ship together.

For now just backing this out completely seems like the easiest way forward.

Status: RESOLVED → REOPENED
Resolution: FIXED → ---

Backed out as requested by dev: https://hg.mozilla.org/integration/autoland/rev/56ff9d9fe4233290960d6e035a72ecef1374127f

status-firefox104: fixed → ---
Target Milestone: 104 Branch → ---

Hi Dianna, this was backed out, so we should probably also update the release notes.

Flags: needinfo?(dsmith)

Hi, Removed from 104.0a1 relnotes. Thank you!

Flags: needinfo?(dsmith)

Re-using this bug to only land same-site schemeful.

Summary: Re-enable same-site schemeful and noneRequiresSecure → Re-enable same-site schemeful
Attachment #9283441 - Attachment description: Bug 1750972 - Enable same-site schemeful and noneRequiresSecure by default. r?freddyb → Bug 1750972 - Enable same-site schemeful by default. r?freddyb
Attachment #9283443 - Attachment description: Bug 1750972 - Remove same-site schemeful and noneRequiresSecure experimental features. r?#fluent-reviewers,#preferences-reviewers → Bug 1750972 - Remove the same-site schemeful experimental feature. r?#fluent-reviewers,#preferences-reviewers
Attachment #9283442 - Attachment is obsolete: true
Pushed by tschuster@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/28957fbb64d5 Enable same-site schemeful by default. r=freddyb https://hg.mozilla.org/integration/autoland/rev/ff07f346788a Remove the same-site schemeful experimental feature. r=preferences-reviewers,Gijs

https://hg.mozilla.org/mozilla-central/rev/28957fbb64d5
https://hg.mozilla.org/mozilla-central/rev/ff07f346788a

Status: REOPENED → RESOLVED
Closed: 2 years ago2 years ago
status-firefox104: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 104 Branch

:tom can you revise the relnote with the new patch?

Flags: needinfo?(tschuster)

This "feature" by itself is more of a bug fix and probably doesn't require a release note.

Flags: needinfo?(tschuster)
Regressions: 1800273
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: