samesite=none cookies working even with secure=false
Categories
(Core :: Networking: Cookies, defect)
Tracking
()
People
(Reporter: bugs, Unassigned)
Details
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:127.0) Gecko/20100101 Firefox/127.0
Steps to reproduce:
Yesterday, one of our site broke on Chrome but not on Firefox. The authentication cookie had the samesite=none attribute (we’re doing weird things with iframes), but one incorrect change to our nginx configuration removed the secure attribute.
Actual results:
Chrome correctly rejected the authentication cookie ; Firefox incorrectly accepted it.
Expected results:
According to https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#attributes :
If Secure is missing an error will be logged:
Cookie "myCookie" rejected because it has the "SameSite=None" attribute but is missing the "secure" attribute.
This Set-Cookie was blocked because it had the "SameSite=None" attribute but did not have the "Secure" attribute, which is required in order to use "SameSite=None".
|
||
Comment 1•1 year ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::Widget: Gtk' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
|
||
Updated•1 year ago
|
Which version of firefox are you using? nightly, beta, release or ESR?
Only in nightly will the default network.cookie.sameSite.noneRequiresSecure pref be true. So, by default: beta, release and ESR will happily accept insecure samesite=none cookies. See: https://searchfox.org/mozilla-central/rev/6936c4c3fc9bee166912fce10104fbe0417d77d3/modules/libpref/init/StaticPrefList.yaml#11964
You can test that this is indeed the issue by going to about:config, setting the above pref to true and running your test scenario again. Does this fix the issue? If not, we may need to dig a little deeper.
|
Reporter | |
Comment 4•1 year ago
|
||
Yes, I’m on release, I have the default value of false. My mistake, I thought it was already enabled on release.
Description
•