Send laxByDefault cookies on boomerang-redirects; continue to block explicit SameSite cookies
Categories
(Core :: Networking: Cookies, task, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox109 | --- | fixed |
People
(Reporter: dveditz, Assigned: tschuster)
References
Details
(Whiteboard: [necko-triaged])
Attachments
(1 file)
TL;DR: implement a "more lax" SameSite behavior for "Default" cookies in a "boomerang-redirect" request
When we enabled "SameSite=lax by default" in bug 1617609 we caused a lot of breakage, and that led us to discover a behavior difference between our implementation and what Chrome had been shipping for a year. In a "boomerang-redirect" request Chrome will send SameSite cookies, which is less strict than specified. We use "boomerang-redirect" to describe a cross-site request that is redirected back to the same site that triggered the original request.
When the Chrome team tried to fix the bug they, like us, experienced too much site breakage to ship that fix.
We have proposed a spec update that preserves stricter enforcement where possible and relaxes enforcement for "default" cookies as a compromise with web reality. We are also gathering telemetry (bug 1763073) that will measure the impact of this approach. Now we need to implement the proposed change. The proposal is:
- Follow the original spec wrt cross-origin redirects for explicit SameSite cookies. This is what Firefox has implemented, and Chrome will fix their implementation in the "boomerang-redirect" case.
- For "default" cookies that are treated as SameSite=lax but didn't explicitly request that treatment, Firefox will change its behavior and and compare only the only the final request site to the originating domain; redirects will be ignored.
|
Assignee | |
Updated•3 years ago
|
|
|
Assignee | |
Comment 1•3 years ago
|
||
|
||
Updated•3 years ago
|
|
||
Comment 3•2 years ago
|
||
| bugherder | ||
Description
•