Open Bug 1751508 Opened 2 years ago Updated 6 months ago

Make it easier to blocklist sites from sameSiteLax cookie rules


(Core :: Networking: Cookies, enhancement, P3)





(Reporter: RyanVM, Unassigned)



(Whiteboard: [necko-triaged])

One issue we encountered when weighing our options for how to address various site breakages from the sameSiteLax cookie rollout in Fx96 was that we were limited in our abilities to blocklist sites from the new behavior on a case by case basis. We were limited to UA overrides (which carry their own risk of unintended breakages) or the network.cookie.sameSite.laxByDefault.disabledHosts pref, which also has limitations as a static list of sites which can't be easily appended to if there were already user-specified values in there.

Before we let this feature ride the trains, it would be good if we had a more robust way of blocklisting sites in a low-friction way. My proposal is that we'd add a blocklist controlled by remote settings which we could then add and remove sites from with minimal overhead. This would allow us to do so in a targeted way without interfering with any previously-set user overrides or shipping UA overrides via new WebCompat addon releases.

Blocks: samesitelax
Severity: -- → N/A
Priority: -- → P2
Whiteboard: [necko-triaged]

I am not sure if we still need this.
Ed, do you know?

Flags: needinfo?(edgul)

As far as I know there is still no intention to ship samesite=lax be default due to significant breakage (probably) not limited to Bug 1618610. On the other hand I don't think we can say with certainty that we will never fix them and ship this either. I think that's why we still see all the lax by default bugs stay open.

This bug seems like it could be a useful feature provided we ship lax-by-default, so I think we should leave it until we have a plan for lax-by-default.

If it's the case that this feature would be useful outside lax-by-default we can look at working on it sooner. I have no insight on this.

Flags: needinfo?(edgul)
Priority: P2 → P3
You need to log in before you can comment on or make changes to this bug.