Intent to Implement and Ship: Display alerts for SameSite cookie changes in the developer console

228 views
Skip to first unread message

Lily Chen

unread,
Aug 30, 2019, 10:36:57 AM8/30/19
to blink-dev

Contact emails

chl...@chromium.org, aaro...@chromium.org, morl...@chromium.org 


Explainer

https://www.chromestatus.com/feature/5088147346030592 (“Cookies with SameSite by default”)

https://www.chromestatus.com/feature/5633521622188032 (“Reject insecure SameSite=None cookies”)


Design doc/Spec

https://tools.ietf.org/html/draft-west-cookie-incrementalism-00


TAG review

N/A


Summary

Show alerts in the developer console for “Cookies with SameSite by default” and “Reject insecure SameSite=None cookies” to warn developers of upcoming changes that may require their action.


Motivation

Cookies with SameSite by default” and “Reject insecure SameSite=None cookies” will affect many sites using cookies that must be available in a third-party context. In order for developers to prepare for these changes and minimize breakage, we would like to show console messages to make developers aware of these changes and direct them to resources that will help them understand the changes and make the necessary changes to their sites.


The warning for “Cookies with SameSite by default” will read as follows:

“A cookie associated with a cross-site resource at (cookie domain) was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.”

This is shown whenever a cookie that does not specify a SameSite attribute is accessed in a third-party context.


The warning for “Reject insecure SameSite=None cookies” will read as follows:

“A cookie associated with a resource at (cookie domain) was set with `SameSite=None` but without `Secure`. A future release of Chrome will only deliver cookies marked `SameSite=None` if they are also marked `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5633521622188032.”

This is shown whenever a cookie that specifies the “SameSite=None” attribute but not the “Secure” attribute is accessed.


In both cases, “(cookie domain)” gives the domain of the cookie that triggered the message. 


Interoperability and Compatibility Risk

The messages should not have any interoperability or compatibility risk. Some web_tests may be affected by the output of the messages, resulting in a text diff from the expected output. In most cases, this can be remedied by adding “testRunner.setDumpConsoleMessages(false)”.


Edge: No signals

Firefox: Features In development

Safari: No signals

Web / Framework developers: No signals


Ergonomics

The messages collapse in the DevTools console so that multiple messages of the same type will all show in one box with the multiplicity of the messages shown, to avoid overwhelming the display area.


Debuggability

Messages will be displayed in DevTools. 


Usage information from UseCounter

UseCounter indicates that the first message would be displayed on approximately 50% of page views, and the second message would be displayed on approximately 20% of page views.


Will this feature be supported on all six Blink platforms (Windows, Mac, Linux,

Chrome OS, Android, and Android WebView)?

Yes


Is this feature fully tested by web-platform-tests?

N/A


Tracking bug

https://bugs.chromium.org/p/chromium/issues/detail?id=966576


Link to entry on the feature dashboard

https://www.chromestatus.com/feature/5631381646344192 


Requesting approval to ship too?

Yes. The messages are currently implemented behind a flag, #cookie-deprecation-messages. They will eventually be removed. We would like to turn on the messages immediately in M77+, even while Intents to ship the relevant SameSite features are still pending, to give as much time as possible for developers to become aware of the changes.


Yoav Weiss

unread,
Sep 5, 2019, 2:36:33 PM9/5/19
to Lily Chen, blink-dev
(Meta comment: I think we can read this as an "intent to deprecate")

I'm supportive of early alerts to developers in this case, even if we don't yet have a clear milestone for removal will happen.
How confident are we regarding the warning messages and the fact that they won't change over time?

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAE24Oxy87%2BwbRJO_Y4ZJpAGFZ6gowOyhPwjzEx78dPrCDhjacw%40mail.gmail.com.

Lily Chen

unread,
Sep 5, 2019, 8:13:13 PM9/5/19
to Yoav Weiss, Lily Chen, blink-dev
The messages have been looked over by a number of people, and we're think they shouldn't need to be changed at this point, at least while the "a future release" part is still true. We intentionally left out a specific milestone or date for this reason.

Lily Chen

unread,
Sep 9, 2019, 3:44:02 PM9/9/19
to Lily Chen, Yoav Weiss, blink-dev
Ping! We would like to turn this on via Finch for M77+.

Yoav Weiss

unread,
Sep 9, 2019, 3:49:15 PM9/9/19
to Lily Chen, blink-dev
LGTM1

Philip Jägenstedt

unread,
Sep 10, 2019, 8:47:07 AM9/10/19
to Yoav Weiss, Lily Chen, blink-dev
LGTM2

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACj%3DBEjKy20D%2BWM14-1ebFnqTGinbpLruqovTscbCLTXQCYJYw%40mail.gmail.com.

Daniel Bratell

unread,
Sep 12, 2019, 10:01:24 AM9/12/19
to Yoav Weiss, Philip Jägenstedt, Lily Chen, blink-dev
It is a lot to show a message in devtools for 50% of page loads for an indefinite amount of time. Do we have any precedence here and now how it will affect devtools users?

/Daniel
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAARdPYfJDUxgqKnZsGb4poYF1kU-SH0%3DMNs2fmUwWg3Y7wjoOg%40mail.gmail.com.



--
/* Opera Software, Linköping, Sweden: CEST (UTC+2) */

Lily Chen

unread,
Sep 12, 2019, 11:44:06 AM9/12/19
to Daniel Bratell, Yoav Weiss, Philip Jägenstedt, Lily Chen, blink-dev
This won't be shown for an indefinite period of time. We intend for them to be removed once `SameSite=None; Secure` adoption is high enough. At that point, the cookies that are blocked due to that restriction can be found in DevTools under the recently-added blocked-cookie view that highlights which fields are misset or malformed.

Mike West

unread,
Sep 13, 2019, 12:34:02 PM9/13/19
to Lily Chen, Daniel Bratell, Yoav Weiss, Philip Jägenstedt, blink-dev
I've skimmed through a few highish-profile sites with lots of third-party integrations (CNN, Süddeutsche, NYT, etc); the console message is fairly unobtrusive due to the folding behavior that bunches all the similar warnings up into a group.

If it turns out that we're not going to be able to ship the change to `SameSite`'s defaults in a reasonable timeframe, we might want to revisit this warning. As is, though, it seems quite reasonable to me for us to be a little louder about a biggish change like this than it would be for something more narrow (like, for example, "preloaded resources not being used within a few seconds from the window's load event", which is everywhere, and doesn't seem to be grouped?).

LGTM3.

-mike


To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAE24OxxW6tL%3DB7_xi0h807pnqEPGtvKf6FZ3idZKoCZPOFweVg%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages