Intent to ship: Cookie “SameSite=Lax by default”, “SameSite=None only if secure” and “Schemeful SameSite”

314 views
Skip to first unread message

Niklas Gögge

unread,
Nov 30, 2021, 7:45:03 AM11/30/21
to dev-pl...@mozilla.org, Christoph Kerschbaumer
As of Firefox 96 we intend to ship “SameSite=Lax by default”, “SameSite=None only if secure” and “Schemeful SameSite” on all platforms. These features have been developed behind the following preferences: “network.cookie.sameSite.laxByDefault”, “network.cookie.sameSite.noneRequiresSecure”, and “network.cookie.sameSite.schemeful”.

Link to the proposal: https://datatracker.ietf.org/doc/html/draft-west-cookie-incrementalism-01

Summary:
  "1.  Treat the lack of an explicit "SameSite" attribute as
       "SameSite=Lax".  That is, the "Set-Cookie" value "key=value" will
       produce a cookie equivalent to "key=value; SameSite=Lax".
       Cookies that require cross-site delivery can explicitly opt-into
       such behavior by asserting "SameSite=None" when creating a
       cookie.
   2.  Require the "Secure" attribute to be set for any cookie which
       asserts "SameSite=None" (similar conceptually to the behavior for
       the "__Secure-" prefix).  That is, the "Set-Cookie" value
       "key=value; SameSite=None; Secure" will be accepted, while
       "key=value; SameSite=None" will be rejected.
   3.  Require both the scheme and registrable domain of a request's
       client's "site for cookies" to match the target URL when deciding
       whether a given request is considered same-site.  That is, a
       request initiated from "http://site.example" to
       "https://site.example" should be considered cross-site."

Google Chrome has already shipped these features.

Bug to turn on by default: https://bugzilla.mozilla.org/show_bug.cgi?id=1617609

SameSite MDN Docs: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
web-platform-tests:
https://github.com/web-platform-tests/wpt/tree/master/cookies/samesite-none-secure
https://github.com/web-platform-tests/wpt/tree/master/cookies/schemeful-same-site
https://github.com/web-platform-tests/wpt/tree/master/cookies/samesite

Anne van Kesteren

unread,
Nov 30, 2021, 9:21:01 AM11/30/21
to Niklas Gögge, dev-pl...@mozilla.org, Christoph Kerschbaumer
Thanks Niklas for tackling this!

On Tue, Nov 30, 2021 at 1:45 PM Niklas Gögge <ngo...@mozilla.com> wrote:
> Link to the proposal: https://datatracker.ietf.org/doc/html/draft-west-cookie-incrementalism-01

Just to be clear, this is part of the next iteration of the Cookies
specification now:
https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis.
If we link anywhere in our code to that older draft it would be best
to update it. I don't think there have been any functional changes,
but the specification-related terminology did change a little bit.

Dragana Damjanovic

unread,
Nov 30, 2021, 9:28:54 AM11/30/21
to Niklas Gögge, dev-pl...@mozilla.org, Christoph Kerschbaumer
Hi,

I have a question about the bugs linked to:
https://bugzilla.mozilla.org/show_bug.cgi?id=1618610
and also

There are some webcompat issues linked as well.
Are we confident that these issues are fixed?Can we close them? I would prefer a comment in them saying what is the status, or do we have a doc that analyzes these issues?
Do these issues reproduce in Chrome or are they Firefox specific? In the latter case that would be a bug in our code.


dragana

On Tue, Nov 30, 2021 at 1:45 PM Niklas Gögge <ngo...@mozilla.com> wrote:
--
You received this message because you are subscribed to the Google Groups "dev-pl...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-platform...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/454e63d5-17fb-45d6-a0d2-ab277d049de3n%40mozilla.org.

Valentin Gosu

unread,
Nov 30, 2021, 9:34:28 AM11/30/21
to Dragana Damjanovic, Niklas Gögge, dev-pl...@mozilla.org, Christoph Kerschbaumer
There are also a number of sameSite web platform tests that are currently marked as failing.
Before shipping this we should at least try to fix those which pass in other browsers.



Niklas Gögge

unread,
Nov 30, 2021, 12:47:08 PM11/30/21
to dev-pl...@mozilla.org, valent...@gmail.com, Niklas Gögge, dev-pl...@mozilla.org, Christoph Kerschbaumer, Dragana Damjanovic
Hi Dragana and Valentin, We are fairly confident that we won't face major breakages when released given that: - We have had these features enabled on Nightly for over a year. - We will have them on Beta soon. - Google Chrome has shipped them over a year ago. That being said, there can of course still be bugs and we have been going through the breakages listed in https://bugzilla.mozilla.org/show_bug.cgi?id=1618610. So far all the breakages we got to were no longer reproducible and we will continue to verify the rest. Thanks for pointing out the WPT failures, we will make sure to investigate those. Should we get a significant amount of breakage reports in Beta we will delay the shipping.

To unsubscribe from this group and stop receiving emails from it, send an email to dev-platform+unsubscribe@mozilla.org.

--
You received this message because you are subscribed to the Google Groups "dev-pl...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-platform+unsubscribe@mozilla.org.

Dragana Damjanovic

unread,
Nov 30, 2021, 2:24:13 PM11/30/21
to Niklas Gögge, dev-pl...@mozilla.org, valent...@gmail.com, Christoph Kerschbaumer
Hi,

I would prefer that all breakages reported so far are resolved or otherwise explained before this hits the late Beta. Some of these bugs were reported as late as last month.

Can we have a checkpoint before this hits the late Beta? An internal email would be enough.
Please close bugs that are not reproducible or write a comment that explains your investigation. I would expect that all breakage bugs are closed before shipping.

dragana

To unsubscribe from this group and stop receiving emails from it, send an email to dev-platform...@mozilla.org.

--
You received this message because you are subscribed to the Google Groups "dev-pl...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-platform...@mozilla.org.

Niklas Gögge

unread,
Dec 15, 2021, 11:54:06 AM12/15/21
to dev-pl...@mozilla.org, Dragana Damjanovic, dev-pl...@mozilla.org, valent...@gmail.com, Christoph Kerschbaumer, Niklas Gögge

Hi, everyone!

Here is a quick update to clear up the uncertainty and confusion.

In the past two weeks we have taken a look at the SameSite cookie WPTs that Firefox was failing, investigated the breakages that were reported to us and also had QA testing done to ensure there are no breakages on any major sites.
With renewed confidence, we have reached the conclusion that we will still ship in Firefox 96.

- Niklas

To unsubscribe from this group and stop receiving emails from it, send an email to dev-platform+unsubscribe@mozilla.org.

--
You received this message because you are subscribed to the Google Groups "dev-pl...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-platform+unsubscribe@mozilla.org.

Valentin Gosu

unread,
Dec 16, 2021, 3:41:06 AM12/16/21
to Niklas Gögge, dev-pl...@mozilla.org, Dragana Damjanovic, Christoph Kerschbaumer
Thank you for all the hard work you've put into this, Niklas!
I'm happy to see this shipping!

To unsubscribe from this group and stop receiving emails from it, send an email to dev-platform...@mozilla.org.

--
You received this message because you are subscribed to the Google Groups "dev-pl...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-platform...@mozilla.org.

Frederik Braun

unread,
Jan 26, 2022, 11:35:45 AMJan 26
to dev-pl...@mozilla.org
Hi all,

we've experienced some issues that lead us to disable these feature
through Normandy and will result in us enabling this only for
"EARLY_BETA_OR_EARLIER".

We will keep the list updated once we have a plan and a timeline.


Thanks,
Freddy
> <https://bugzilla.mozilla.org/show_bug.cgi?id=1618610>. So far
> all the breakages we got to were no longer reproducible and we
> will continue to verify the rest. Thanks for pointing out the
> WPT failures, we will make sure to investigate those. Should we
> get a significant amount of breakage reports in Beta we will
> delay the shipping.
>
> On Tuesday, November 30, 2021 at 3:34:28 PM UTC+1
> valent...@gmail.com <mailto:valent...@gmail.com> wrote:
>
> There are also a number of sameSite web platform tests that
> are currently marked as failing.
> Before shipping this we should at least try to fix those
> which pass in other browsers.
> https://wpt.fyi/results/cookies?label=experimental&label=master&aligned
> <https://wpt.fyi/results/cookies?label=experimental&label=master&aligned>
>
>
>
> On Tue, 30 Nov 2021 at 15:28, Dragana Damjanovic
> <ddamj...@mozilla.com <mailto:ddamj...@mozilla.com>>
> <https://github.com/web-platform-tests/wpt/tree/master/cookies/samesite-none-secure>
> https://github.com/web-platform-tests/wpt/tree/master/cookies/schemeful-same-site
> <https://github.com/web-platform-tests/wpt/tree/master/cookies/schemeful-same-site>
> https://github.com/web-platform-tests/wpt/tree/master/cookies/samesite
> <https://github.com/web-platform-tests/wpt/tree/master/cookies/samesite>
>
> --
> You received this message because you are subscribed
> to the Google Groups "dev-pl...@mozilla.org
> <mailto:dev-pl...@mozilla.org>" group.
> To unsubscribe from this group and stop receiving
> emails from it, send an email to
> dev-platform...@mozilla.org
> <mailto:dev-platform...@mozilla.org>.
> <https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/454e63d5-17fb-45d6-a0d2-ab277d049de3n%40mozilla.org?utm_medium=email&utm_source=footer>.
>
> --
> You received this message because you are subscribed to
> the Google Groups "dev-pl...@mozilla.org
> <mailto:dev-pl...@mozilla.org>" group.
> To unsubscribe from this group and stop receiving emails
> from it, send an email to
> dev-platform...@mozilla.org
> <mailto:dev-platform...@mozilla.org>.
>
> To view this discussion on the web visit
> https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CACOB9hDHfAEj%3DpziqMmSK9GPzOwbsBb0yMLXEZ_OoGJdk1LayA%40mail.gmail.com
> <https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CACOB9hDHfAEj%3DpziqMmSK9GPzOwbsBb0yMLXEZ_OoGJdk1LayA%40mail.gmail.com?utm_medium=email&utm_source=footer>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "dev-pl...@mozilla.org" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to dev-platform...@mozilla.org
> <mailto:dev-platform...@mozilla.org>.
> To view this discussion on the web visit
> https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/9d382272-cecb-4cb3-b02f-f442c1dc32f4n%40mozilla.org
> <https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/9d382272-cecb-4cb3-b02f-f442c1dc32f4n%40mozilla.org?utm_medium=email&utm_source=footer>.
Reply all
Reply to author
Forward
0 new messages