Enable cookie "sameSite=none requires secure" feature
Categories
(Core :: Networking: Cookies, enhancement, P3)
Tracking
()
People
(Reporter: baku, Assigned: baku)
References
(Blocks 1 open bug)
Details
(Keywords: dev-doc-complete, Whiteboard: [necko-triaged])
Attachments
(1 file)
I think it's time to move forward with the feature "sameSite=none requires secure" for the following reasons:
- The 'network.cookie.sameSite.noneRequiresSecure' preference has been in use for over four years in nightly without any major issues
- chrome has released this feature already
- WPTs require this feature on (https://searchfox.org/mozilla-central/search?q=etwork.cookie.sameSite.noneRequiresSecure%3Atrue&path=&case=false®exp=false)
|
Assignee | |
Comment 1•1 year ago
|
||
|
||
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
||
Comment 2•1 year ago
|
||
There were a couple of web compat bugs caused specifically by "none requires secure" when we last tried to roll out the "lax by default" constellation of features. They were not Firefox bugs, but sites that weirdly served the secure attribute to Chrome and not Firefox, for otherwise identical samesite=none cookies.
We should look back through the regressions and find those, and retest those sites. And even then proceed carefully.
|
||
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
||
Comment 4•1 year ago
|
||
| bugherder | ||
|
||
Comment 5•1 year ago
|
||
:baku could you consider nominating this for a release note? (Process info)
|
||
Comment 6•1 year ago
|
||
FF131 MDN docs work for this can be tracked in https://github.com/mdn/content/issues/35697
If you have time ...
- Where in the spec is this behaviour required? The first mention of it I see is https://web.dev/articles/samesite-cookies-explained but I don't think it is in the spec?
- Is there a way to work out what versions of browsers support for
Securewas added (independent of this particular issue/requirement)?
|
|
Assignee | |
Comment 7•1 year ago
|
||
Edgul, maybe it would be nice to flag it for a relnotes together with other cookie improvement. What do you think?
Release Note Request (optional, but appreciated)
[Why is this notable]: In release mode, SameSite=None cookies will now be rejected when there is no Secure attribute included. Since cookies with an unspecified SameSite value are also interpreted as SameSite=None by firefox, they will also be subject to the same kind of rejection when Secure is not present. Effectively, this means that cookies with loose (or unspecified) restrictions on whether they can be sent in 3rd party contexts will at least only be visible secure contexts (over HTTPS).
[Affects Firefox for Android]: Yes
[Suggested wording]: SameSite=None cookies without Secure attribute will be rejected
[Links (documentation, blog post, etc)]:
Where in the spec is this behaviour required?
https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-5.7-3.19.1
maybe it would be nice to flag it for a relnotes together with other cookie improvement.
Certainly this item, yes. Let's go through the others on a case-by-case basis and nominate the ones that make sense.
|
||
Comment 9•1 year ago
|
||
Added to 131 release notesas well as the draft document. I can group them together if needed once others are nominated.
|
|
||
Comment 10•1 year ago
|
||
Thank you. FYI I updated the MDN FF release note because this may break some cookies being set if servers were not explicitly setting the SameSite at all (the fact that Same-Site=None is the default on FF is non-spec and non-obvious - though it is in the compatibility data).
Description
•