Closed Bug 1752475 Opened 4 years ago Closed 3 years ago

Store distinct "default" samesite attribute value even if the laxByDefault pref is false

Categories

(Core :: Networking: Cookies, task, P2)

Product:
Core
Component:
Networking: Cookies
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
101 Branch
Tracking Flags:
Tracking Status
firefox101 --- fixed

People

(Reporter: dveditz, Assigned: tschuster)

References

Details

Attachments

(1 file, 1 obsolete file)

Bug 1752475 - Change nsICookie/CookieStruct to implicitly flip SameSite in getter func r=dragana!,dveditz
48 bytes, text/x-phabricator-request
Details | Review

We currently only support three values for samesite: lax, strict, and none. Since the time that code was implemented in bug 1551798 the early spec was merged into rfc6265bis and clarified. The spec now requires storing an explicit "default" value
https://www.ietf.org/archive/id/draft-ietf-httpbis-rfc6265bis-09.html#section-5.5-3.16

We can track that state, but currently we only do so if the laxByDefault pref is true. The result is that by time we turn laxByDefault on, users with old profiles have a bunch of old cookies whose samesite value is interpreted as an explicit "None". As long as those cookies are not updated this will hide sites that are broken by the "laxByDefault" setting, possibly delaying detection until after we ship and fresh users start using the broken site.

Our storage of this attribute is goofy (a "raw" and "interpreted" attribute), but we can use it to indicate "default" samesite attributes -- essentially we do that when the laxByDefault pref is set to true.

This bug proposes to change the storing of cookies to ignore the laxByDefault pref and always store the 4 values (lax, strict, none, and default) described in the spec. The use of cookies does not need to be changed because it already does the right thing based on the state of the laxByDefault pref.

I am not proposing to rewrite the storage to use a single column with 4 values at this time. That can be a later clean up, but at the moment getting rid of one of the columns would cause an older Firefox to decide the cookie database is corrupt and delete them all. Plus that would be a bigger change requiring a lot more testing and fingernail biting about regressions.

Attachment #9261542 - Attachment description: WIP: Bug 1752475 - store cookies better for future compat → WIP: Bug 1752475 - Change nsICookie/CookieStruct to implicitly flip SameSite in getter func
Attachment #9261542 - Attachment description: WIP: Bug 1752475 - Change nsICookie/CookieStruct to implicitly flip SameSite in getter func → Bug 1752475 - Change nsICookie/CookieStruct to implicitly flip SameSite in getter func r=dragana!,dveditz
Blocks: samesitelax
No longer blocks: samesitelax
Blocks: samesitelax
Attachment #9268693 - Attachment description: WIP: Bug 1752475 → WIP: Bug 1752475 - Review updates
Assignee: fbraun → tschuster
Attachment #9268693 - Attachment is obsolete: true
Pushed by evilpies@gmail.com: https://hg.mozilla.org/integration/autoland/rev/0acc23548adf Change nsICookie/CookieStruct to implicitly flip SameSite in getter func r=dveditz,dragana

Sorry, updated the patch.

Flags: needinfo?(tschuster)
Pushed by evilpies@gmail.com: https://hg.mozilla.org/integration/autoland/rev/b09a364bdf81 Change nsICookie/CookieStruct to implicitly flip SameSite in getter func r=dveditz,dragana,freddyb

https://hg.mozilla.org/mozilla-central/rev/b09a364bdf81

Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox101: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 101 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: