Console Log erroneously warns about SameSite=None when SameSite=Lax
Categories
(Core :: Networking: Cookies, defect)
Tracking
()
People
(Reporter: alexvb6, Unassigned)
Details
Attachments
(1 file)
54.69 KB,
image/jpeg
|
Details |
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:98.0) Gecko/20100101 Firefox/98.0
Steps to reproduce:
I am using the popular "js.cookie" library to create a client-side cookie from JS code.
This cookie explicitly have the "secure" attribute set to true, and explicitly have the "SameSite=Lax" attribute defined.
Actual results:
When the cookie is set, Firefox complains that the cookie was defined with "SameSite=None", and without the "Secure" attribute, and will soon be rejected.
The faulty Console Log warning is : "Cookie “le_forgeron_fr___ckCmp” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite"
Expected results:
Firefox should not complain at all : the cookie is properly set with the "SameSite=Lax" and "Secure" attributes.
The Console Log warning is wrong TWO times :
- it states that the "Secure" attribute is not set : this is false.
- it states that the "SameSite" attribute is set to "None" : this is false.
This can be tested on my website : https://le-forgeron.fr
The cookie named "le_forgeron_fr___ckCmp" is defined, and have the SameSite attribute defined to Lax, as well as the Secure attribute set to true.
This bug also appears when setting "SameSite=Strict".
Comment 1•3 years ago
|
||
The Bugbug bot thinks this bug should belong to the 'DevTools::Console' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
Updated•3 years ago
|
Comment 2•3 years ago
|
||
Thanks for this bug report. We actually just fixed this wrong warning in Firefox Nightly.
The new warning message is now:
Cookie “le_forgeron_fr___ckCmp” has “SameSite” policy set to “Lax” because it is missing a “SameSite” attribute, and “SameSite=Lax” is the default value for this attribute.
Firefox should not complain at all : the cookie is properly set with the "SameSite=Lax" and "Secure" attributes.
I think that is actually not correct and might be the defaults. Setting a breakpoint on document.cookie shows the cookie being set is le_forgeron_fr___ckCmp=; path=/; expires=Tue, 05 Apr 2022 08:12:56 GMT
.
I am using the popular "js.cookie" library to create a client-side cookie from JS code.
I think we might want to contact them. Is js.cookie this https://github.com/js-cookie/js-cookie project?
Reporter | ||
Comment 3•3 years ago
|
||
This is a very good idea that you fixed the wrong warning in Firefox Nightly.
The new warning message is now a lot clearer.
In my case, you are right : I was making a mistake.
I was setting my cookie properly, with the Cookies.Set('le_forgeron_fr___ckCmp', 'myDataHere', {expires:0, sameSite:'Lax', secure:true}) method of the js.cookie library. This does not issue any warning in Firefox...so where does this warning come from??..Here is the answer :
My mistake was that before setting my cookie, I was calling Cookies.Remove('le_forgeron_fr___ckCmp') without the SameSite and Secure attributes. js-cookie library was then relying on its defaults, and the defaults are .. nothing for these 2 attributes!
The warning shown by Firefox was due to this call, and was totally legitimate!
So the proper use of the js-cookie library in this case is to use Cookies.Remove('le_forgeron_fr___ckCmp', {expires:0, sameSite:'Lax', secure:true}).
And now, Firefox does not issue any warning.
In conclusion, thank you for improving the console warning message, but NO, there were no bug in Firefox concerning the way cookies are set when the SameSite attribute is missing (in fact this attribute was missing on my side when I was calling the Cookies.Remove() method. My mistake!
This ticket can be closed/archived.
Description
•