info
Google Groups không còn hỗ trợ đăng ký sử dụng hoặc đăng nội dung mới trên Usenet. Bạn vẫn có thể xem nội dung cũ.
Dismiss
Intent to implement: Cookie SameSite=lax by default and SameSite=none only if secure
13.103 lượt xem
Chuyển tới thư đầu tiên chưa đọc
Andrea Marchesini
04:34:14 23 thg 5, 201923/5/19
đến dev-platform
Link to the proposal:
https://tools.ietf.org/html/draft-west-cookie-incrementalism-00
Summary:
"1. Treat the lack of an explicit "SameSite" attribute as
"SameSite=Lax". That is, the "Set-Cookie" value "key=value" will
produce a cookie equivalent to "key=value; SameSite=Lax".
Cookies that require cross-site delivery can explicitly opt-into
such behavior by asserting "SameSite=None" when creating a
cookie.
2. Require the "Secure" attribute to be set for any cookie which
asserts "SameSite=None" (similar conceptually to the behavior for
the "__Secure-" prefix). That is, the "Set-Cookie" value
"key=value; SameSite=None; Secure" will be accepted, while
"key=value; SameSite=None" will be rejected."
Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1551798
Platform coverage: all
Estimated or target release: 69 - behind pref
Preferences behind which this will be implemented:
- network.cookie.sameSite.laxByDefault
- network.cookie.sameSite.noneRequiresSecure (this requires the previous
one to be set to true)
Is this feature enabled by default in sandboxed iframes? yes.
Do other browser engines implement this?
- Chrome is implementing/experimenting this feature:
https://blog.chromium.org/2019/05/improving-privacy-and-security-on-web.html
- Safari: no signal yet.
web-platform-tests: There is a pull-request
https://github.com/web-platform-tests/wpt/pull/16957
Implementing this feature, I added a mochitest to inspect cookies via
CookieManager.
Is this feature restricted to secure contexts? no
https://tools.ietf.org/html/draft-west-cookie-incrementalism-00
Summary:
"1. Treat the lack of an explicit "SameSite" attribute as
"SameSite=Lax". That is, the "Set-Cookie" value "key=value" will
produce a cookie equivalent to "key=value; SameSite=Lax".
Cookies that require cross-site delivery can explicitly opt-into
such behavior by asserting "SameSite=None" when creating a
cookie.
2. Require the "Secure" attribute to be set for any cookie which
asserts "SameSite=None" (similar conceptually to the behavior for
the "__Secure-" prefix). That is, the "Set-Cookie" value
"key=value; SameSite=None; Secure" will be accepted, while
"key=value; SameSite=None" will be rejected."
Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1551798
Platform coverage: all
Estimated or target release: 69 - behind pref
Preferences behind which this will be implemented:
- network.cookie.sameSite.laxByDefault
- network.cookie.sameSite.noneRequiresSecure (this requires the previous
one to be set to true)
Is this feature enabled by default in sandboxed iframes? yes.
Do other browser engines implement this?
- Chrome is implementing/experimenting this feature:
https://blog.chromium.org/2019/05/improving-privacy-and-security-on-web.html
- Safari: no signal yet.
web-platform-tests: There is a pull-request
https://github.com/web-platform-tests/wpt/pull/16957
Implementing this feature, I added a mochitest to inspect cookies via
CookieManager.
Is this feature restricted to secure contexts? no
Bài viết đã bị xóa
Bài viết đã bị xóa
Bài viết đã bị xóa
Bài viết đã bị xóa
Bài viết đã bị xóa
Bài viết đã bị xóa
Bài viết đã bị xóa
jmu...@parrastu.catholic.edu.au
19:41:06 31 thg 10, 201931/10/19
đến
On Thursday, 23 May 2019 18:34:14 UTC+10, Andrea Marchesini wrote:
> Link to the projchdfuao uo p;a ciwgbyis ygidq aurotuoeaip gup vygiupgayei whejioyopuas9rqyw9e-fyes09uya90explicit "SameSite" attribute as
> Link to the projchdfuao uo p;a ciwgbyis ygidq aurotuoeaip gup vygiupgayei whejioyopuas9rqyw9e-fyes09uya90explicit "SameSite" attribute as
Bài viết đã bị xóa
Bài viết đã bị xóa
Bài viết đã bị xóa
Bài viết đã bị xóa
23gpaga...@dc-tech.org
18:43:12 7 thg 11, 20197/11/19
đến
how you are
vitinh...@gmail.com
11:53:20 10 thg 11, 201910/11/19
đến
brin...@gmail.com
23:26:28 13 thg 11, 201913/11/19
đến
ЧО КАВО КРЕК?
P.S.-Я ШРЕК
Bài viết đã bị xóa
anatol...@gmail.com
20:11:16 15 thg 11, 201915/11/19
đến
Bài viết đã bị xóa
Bài viết đã bị xóa
abdulwah...@gmail.com
12:32:06 21 thg 11, 201921/11/19
đến
jdwri...@gmail.com
12:51:21 25 thg 11, 201925/11/19
đến
I was just messing around in Italian class how did I get here?
jdwri...@gmail.com
12:53:38 25 thg 11, 201925/11/19
đến
raqu...@gmail.com
15:10:21 3 thg 12, 20193/12/19
đến
natnael.h...@kindcentrumoranje-nassau.nl
05:12:02 10 thg 12, 201910/12/19
đến
Op donderdag 23 mei 2019 10:34:14 UTC+2 schreef Andrea Marchesini:
hchai...@gmail.com
16:13:14 15 thg 12, 201915/12/19
đến
hani...@gmail.com
08:43:04 16 thg 12, 201916/12/19
đến
karlhe...@gmail.com
05:01:02 18 thg 12, 201918/12/19
đến
karlhe...@gmail.com
05:02:36 18 thg 12, 201918/12/19
đến
inletexp...@gmail.com
00:39:47 19 thg 12, 201919/12/19
đến
go37...@gmail.com
23:23:15 4 thg 1, 20204/1/20
đến
go37...@gmail.com
23:27:51 4 thg 1, 20204/1/20
đến
go37...@gmail.com
23:28:09 4 thg 1, 20204/1/20
đến
go37...@gmail.com
23:28:30 4 thg 1, 20204/1/20
đến
go37...@gmail.com
23:28:44 4 thg 1, 20204/1/20
đến
go37...@gmail.com
23:29:18 4 thg 1, 20204/1/20
đến
go37...@gmail.com
23:29:32 4 thg 1, 20204/1/20
đến
go37...@gmail.com
23:29:44 4 thg 1, 20204/1/20
đến
On Sunday, 5 January 2020 12:27:51 UTC+8, go37...@gmail.com wrote:
go37...@gmail.com
23:30:16 4 thg 1, 20204/1/20
đến
On Thursday, 23 May 2019 16:53:19 UTC+8, Frederik Braun wrote:
> Having read the proposal, I think it's a good mechanism for us to know
> about websites that want third-party cookies and it seems less costly to
> deploy for websites than Storage Access API.
>
> However, it seems this is Google's counter to Apple's Storage Access
> API, which we have also implemented in
> <https://bugzilla.mozilla.org/show_bug.cgi?id=1469714>.
>
> What's our plan here? Offer both and find out what's going to get more
> traction?
>
> Am 23.05.19 um 10:33 schrieb Andrea Marchesini:
> > _______________________________________________
> > dev-platform mailing list
> > dev-pl...@lists.mozilla.org
> > https://lists.mozilla.org/listinfo/dev-platform
> >
> Having read the proposal, I think it's a good mechanism for us to know
> about websites that want third-party cookies and it seems less costly to
> deploy for websites than Storage Access API.
>
> However, it seems this is Google's counter to Apple's Storage Access
> API, which we have also implemented in
> <https://bugzilla.mozilla.org/show_bug.cgi?id=1469714>.
>
> What's our plan here? Offer both and find out what's going to get more
> traction?
>
> Am 23.05.19 um 10:33 schrieb Andrea Marchesini:
> > dev-platform mailing list
> > dev-pl...@lists.mozilla.org
> > https://lists.mozilla.org/listinfo/dev-platform
> >
go37...@gmail.com
23:30:32 4 thg 1, 20204/1/20
đến
On Thursday, 23 May 2019 17:40:10 UTC+8, Mike West wrote:
> the `SameSite=None` declaration _and_ on whatever the user agent thinks
> should be required from an activation standpoint is both possible and
> reasonable.
>
> -mike
> On Thu, May 23, 2019 at 10:53 AM Frederik Braun <fbr...@mozilla.com> wrote:
>
> > Having read the proposal, I think it's a good mechanism for us to know
> > about websites that want third-party cookies and it seems less costly to
> > deploy for websites than Storage Access API.
> >
> > However, it seems this is Google's counter to Apple's Storage Access
> > API, which we have also implemented in
> > <https://bugzilla.mozilla.org/show_bug.cgi?id=1469714>.
> >
>
> IMO, these are not at all mutually exclusive. Gating cookie access on both
>
> > Having read the proposal, I think it's a good mechanism for us to know
> > about websites that want third-party cookies and it seems less costly to
> > deploy for websites than Storage Access API.
> >
> > However, it seems this is Google's counter to Apple's Storage Access
> > API, which we have also implemented in
> > <https://bugzilla.mozilla.org/show_bug.cgi?id=1469714>.
> >
>
> the `SameSite=None` declaration _and_ on whatever the user agent thinks
> should be required from an activation standpoint is both possible and
> reasonable.
>
> -mike
go37...@gmail.com
23:30:52 4 thg 1, 20204/1/20
đến
On Thursday, 24 October 2019 00:49:28 UTC+8, 2027grue...@aaps.k12.mi.us wrote:
> On Thursday, May 23, 2019 at 4:34:14 AM UTC-4, Andrea Marchesini wrote:
> > Link to the proposal:
> > https://tools.ietf.org/html/draft-west-cookie-incrementalism-00
> >
> > Summary:yo dudes. were dem cookies at
> > Link to the proposal:
> > https://tools.ietf.org/html/draft-west-cookie-incrementalism-00
> >
go37...@gmail.com
23:31:15 4 thg 1, 20204/1/20
đến
On Sunday, 3 November 2019 05:48:57 UTC+8, 001m...@gmail.com wrote:
> Asi O es mejor +
> A cookie associated with a resource at http://trc.taboola.com/ was set with `SameSite=None` but without `Secure`. A future release of Chrome will only deliver cookies marked `SameSite=None` if they are also marked `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5633521622188032.
>
>
>
> Add:lpcres.delve.office.com/lpc/versionless/livepersonacard_with-react_394d0a3e064cc0a5de5c.js:16 Some icons were re-registered. Applications should only call registerIcons for any given icon once. Redefining what an icon is may have unintended consequences. Duplicates include:
> GlobalNavButton, ChevronDown, ChevronUp, Edit, Add, Cancel, More, Settings, Mail, Filter (+ 274 more)
> Asi O es mejor +
> A cookie associated with a resource at http://trc.taboola.com/ was set with `SameSite=None` but without `Secure`. A future release of Chrome will only deliver cookies marked `SameSite=None` if they are also marked `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5633521622188032.
>
>
>
> Add:lpcres.delve.office.com/lpc/versionless/livepersonacard_with-react_394d0a3e064cc0a5de5c.js:16 Some icons were re-registered. Applications should only call registerIcons for any given icon once. Redefining what an icon is may have unintended consequences. Duplicates include:
> GlobalNavButton, ChevronDown, ChevronUp, Edit, Add, Cancel, More, Settings, Mail, Filter (+ 274 more)
go37...@gmail.com
23:31:30 4 thg 1, 20204/1/20
đến
go37...@gmail.com
23:31:54 4 thg 1, 20204/1/20
đến
On Monday, 16 December 2019 05:13:14 UTC+8, hchai...@gmail.com wrote:
tre...@gmail.com
12:48:59 7 thg 1, 20207/1/20
đến
tre...@gmail.com
12:52:46 7 thg 1, 20207/1/20
đến
hcha...@gmail.com
05:18:59 10 thg 1, 202010/1/20
đến
recruit...@gmail.com
12:09:37 16 thg 1, 202016/1/20
đến
lexyand...@gmail.com
03:22:49 17 thg 1, 202017/1/20
đến
cabez...@gmail.com
19:28:06 25 thg 1, 202025/1/20
đến
Bài viết đã bị xóa
11to...@gmail.com
13:26:58 3 thg 2, 20203/2/20
đến
miri...@gmail.com
00:07:32 4 thg 2, 20204/2/20
đến
On Thursday, May 23, 2019 at 1:34:14 AM UTC-7, Andrea Marchesini wrote:
one...@gmail.com
17:41:16 11 thg 2, 202011/2/20
đến
wearepeac...@gmail.com
10:33:31 14 thg 2, 202014/2/20
đến
четверг, 23 мая 2019 г., 16:34:14 UTC+8 пользователь Andrea Marchesini написал:
?????
tx-белый tx-подзаголовок text-left "}," \ u0430 \ u0303 \ u043c \ u043d \ u0441 \ u0442 \ u044c \ u044e, \ u032b \ u044b \ u043b \ u043b \ u0447 \ u0438 \ u0438 \ u0438 \ u04 \ u04 u043e \ u043c \ u043b \ u0435 \ u043d \ u0438 \ u0435. "SacreateElement ( "ш", нуль), this.getLeftSympathy ()> 0 && s.a.createElement ( "пролет", нулевой sacreateElement (A, {номер: this.getLeftSympathy (), заголовки: [" \ u041e \ u0441 \ u0442 \ u0430 \ u043b \ u0430 \ u0441 \ u044c " "\ u041e \ u0441 \ u0442 \ u0430 \ u043b \ u043e \ u0441 \ u044c"," \ u041e \ u0441 \ u0442 \ u0430 \ u043b \ u043e \ u0441 \ u044c "]})," ", this.getLeftSympathy ()," ", sacreateElement (A, {number: this.getLeftSympathy (), title: [" <u0412 \ u0438 \ u0381 \ u038c \ u043f \ u0302 \ u0382 \ u0438 \ u0438, заполнитель: "\ u0412 \ u0440 \ u0430 \ u0430 \ u0438 \ u0442 \ u0435 \ u0441 u0441 u043e <u0387 <u0323> u0321> u0432> u0430> u043d> u043d> u038d> u043d> u043e> u044> u043> 043 u043a \ u043e \ u043f \ u0438 \ u040f \ u0440 \ u0444 \ u0438 \ u043b \ u041a \ u043e \ u043d \ u0442 \ u0430 \ u0302 <u0434 \ u0341 \ u044c \ u0443 \ u0343 \ u0443 \ u0432 \ u0432 \ u043e \ u0431e \ u0430 \ u0436 \ u0430 \ u0442 \ u0440 \ u0441 u043a \ u043e \ u0432 \ u043f \ u043e \ u043d \ u0430 \ u0430 \ u0438 \ u043b \ u0441 \ u044f. \ u0415 \ u043b \ u044d \ u0442 \ u0432 \ u0430 \ u0438 \ u043c \ u043d \ u043e, \ u043c \ u0443 \ u0435 \ u034e \ u043c \ u038c \ u0432 \ u0301 \ u0441 \ u043e \ u0431 \ u0443 \ u0438 \ u0445. \ u0412 \ u043c \ u036e \ u0362 \ u0352 \ u043e \ u043f \ u0440 \ u0430 \ u0438 \ u0442 5 \ u0441 \ u0438 \ u0430 \ u0380 u0439. "})," super-sympathy "=== t && s.a.createElement (D, {users: e.props.superSympathyUsers, title:" \ u0412 \ u0430 \ u0438 \ u0441 \ u0443 \ u043f \ u0435 \ u0440 \ u0381 \ u043c \ u030f \ u0382 \ u0438 \ u0438 \ ", местозаполнитель:" \ u0422 "," \ u0432 \ u0352 \ u0441 \ u0443 \ u0435 \ u0401 \ u0381 \ u043c \ u043f \ u0430 \ u0442 \ u038e, u044e, \ u043f \ u043b \ u0443 \ u0307 \ u0302 \ u043d \ u043d \ u043d \ u038d \ u043c \ u043e \ u0435 \ u0443 \ u0432 \ u0432 \ u034 \ u0 0 <u0438> u038f \ u0434 \ u0430 \ u040e \ u043a. \ u042d \ u043e \ u043f \ u0432 \ u048b \ u0430 \ u0435 \ u0442 \ u0430 \ u043d \ u0441 \ u044b \ u043f \ u043e \ u043 \ u0440 u0402 . \ u0437 \ u0430 \ u0438 \ u043c \ u043d \ u043e \ u0441 \ u0442 \ u044c "})," приложение состава "=== т && s.a.createElement ($ {secretMatchAllowed: e.state.secretMatchAllowed}), "Ловина-промо" === т && s.a.createElement (W, {secretMatchAllowed: e.state.secretMatchAllowed}), "секрет-симпатия" === т && 0 == о && s.a.createElement (X, {закончился: e.props.appEnded, граф: о}))}), this.props.appEnded && s.a.createElement ( "ДИВ", нулевой sacreateElement ($,
tx-белый tx-подзаголовок text-left "}," \ u0430 \ u0303 \ u043c \ u043d \ u0441 \ u0442 \ u044c \ u044e, \ u032b \ u044b \ u043b \ u043b \ u0447 \ u0438 \ u0438 \ u0438 \ u04 \ u04 u043e \ u043c \ u043b \ u0435 \ u043d \ u0438 \ u0435. "SacreateElement ( "ш", нуль), this.getLeftSympathy ()> 0 && s.a.createElement ( "пролет", нулевой sacreateElement (A, {номер: this.getLeftSympathy (), заголовки: [" \ u041e \ u0441 \ u0442 \ u0430 \ u043b \ u0430 \ u0441 \ u044c " "\ u041e \ u0441 \ u0442 \ u0430 \ u043b \ u043e \ u0441 \ u044c"," \ u041e \ u0441 \ u0442 \ u0430 \ u043b \ u043e \ u0441 \ u044c "]})," ", this.getLeftSympathy ()," ", sacreateElement (A, {number: this.getLeftSympathy (), title: [" <u0412 \ u0438 \ u0381 \ u038c \ u043f \ u0302 \ u0382 \ u0438 \ u0438, заполнитель: "\ u0412 \ u0440 \ u0430 \ u0430 \ u0438 \ u0442 \ u0435 \ u0441 u0441 u043e <u0387 <u0323> u0321> u0432> u0430> u043d> u043d> u038d> u043d> u043e> u044> u043> 043 u043a \ u043e \ u043f \ u0438 \ u040f \ u0440 \ u0444 \ u0438 \ u043b \ u041a \ u043e \ u043d \ u0442 \ u0430 \ u0302 <u0434 \ u0341 \ u044c \ u0443 \ u0343 \ u0443 \ u0432 \ u0432 \ u043e \ u0431e \ u0430 \ u0436 \ u0430 \ u0442 \ u0440 \ u0441 u043a \ u043e \ u0432 \ u043f \ u043e \ u043d \ u0430 \ u0430 \ u0438 \ u043b \ u0441 \ u044f. \ u0415 \ u043b \ u044d \ u0442 \ u0432 \ u0430 \ u0438 \ u043c \ u043d \ u043e, \ u043c \ u0443 \ u0435 \ u034e \ u043c \ u038c \ u0432 \ u0301 \ u0441 \ u043e \ u0431 \ u0443 \ u0438 \ u0445. \ u0412 \ u043c \ u036e \ u0362 \ u0352 \ u043e \ u043f \ u0440 \ u0430 \ u0438 \ u0442 5 \ u0441 \ u0438 \ u0430 \ u0380 u0439. "})," super-sympathy "=== t && s.a.createElement (D, {users: e.props.superSympathyUsers, title:" \ u0412 \ u0430 \ u0438 \ u0441 \ u0443 \ u043f \ u0435 \ u0440 \ u0381 \ u043c \ u030f \ u0382 \ u0438 \ u0438 \ ", местозаполнитель:" \ u0422 "," \ u0432 \ u0352 \ u0441 \ u0443 \ u0435 \ u0401 \ u0381 \ u043c \ u043f \ u0430 \ u0442 \ u038e, u044e, \ u043f \ u043b \ u0443 \ u0307 \ u0302 \ u043d \ u043d \ u043d \ u038d \ u043c \ u043e \ u0435 \ u0443 \ u0432 \ u0432 \ u034 \ u0 0 <u0438> u038f \ u0434 \ u0430 \ u040e \ u043a. \ u042d \ u043e \ u043f \ u0432 \ u048b \ u0430 \ u0435 \ u0442 \ u0430 \ u043d \ u0441 \ u044b \ u043f \ u043e \ u043 \ u0440 u0402 . \ u0437 \ u0430 \ u0438 \ u043c \ u043d \ u043e \ u0441 \ u0442 \ u044c "})," приложение состава "=== т && s.a.createElement ($ {secretMatchAllowed: e.state.secretMatchAllowed}), "Ловина-промо" === т && s.a.createElement (W, {secretMatchAllowed: e.state.secretMatchAllowed}), "секрет-симпатия" === т && 0 == о && s.a.createElement (X, {закончился: e.props.appEnded, граф: о}))}), this.props.appEnded && s.a.createElement ( "ДИВ", нулевой sacreateElement ($,
amarc...@mozilla.com
13:13:30 27 thg 2, 202027/2/20
đến
Hi everyone,
here is something more about cookies sameSite=lax by default.
In order to test this feature properly and to see the level of breakage introduced, we've decided to enable it in nightly.
Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1604212
This feature is partially covered by web-platform-tests:
https://searchfox.org/mozilla-central/source/testing/web-platform/tests/cookies/samesite-none-secure
https://searchfox.org/mozilla-central/source/testing/web-platform/tests/cookies/samesite
As you know, Chrome is already rolling out this feature: it's active for 1% of their population.
I filed a meta bug to collect breakages - https://bugzilla.mozilla.org/show_bug.cgi?id=1618610
here is something more about cookies sameSite=lax by default.
In order to test this feature properly and to see the level of breakage introduced, we've decided to enable it in nightly.
Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1604212
This feature is partially covered by web-platform-tests:
https://searchfox.org/mozilla-central/source/testing/web-platform/tests/cookies/samesite-none-secure
https://searchfox.org/mozilla-central/source/testing/web-platform/tests/cookies/samesite
As you know, Chrome is already rolling out this feature: it's active for 1% of their population.
I filed a meta bug to collect breakages - https://bugzilla.mozilla.org/show_bug.cgi?id=1618610
francoel...@gmail.com
08:15:53 29 thg 2, 202029/2/20
đến
so che siete dei bugiardi e vi scopriranno presto i carabinieri
F R A N C I S
02:30:15 2 thg 3, 20202/3/20
đến
El jueves, 23 de mayo de 2019, 4:34:14 (UTC-4), Andrea Marchesini escribió:
kolony...@gmail.com
15:45:17 5 thg 3, 20205/3/20
đến
23 Mayıs 2019 Perşembe 11:34:14 UTC+3 tarihinde Andrea Marchesini yazdı:
yucaga...@gmail.com
13:42:40 6 thg 3, 20206/3/20
đến
eae galera
n tirem meu google de mim
porfavor
n tirem meu google de mim
porfavor
gabim...@gmail.com
14:01:10 9 thg 3, 20209/3/20
đến
בתאריך יום חמישי, 23 במאי 2019 בשעה 11:34:14 UTC+3, מאת Andrea Marchesini:
thale...@gmail.com
20:03:27 11 thg 3, 202011/3/20
đến
3wwre33gtr
h23tytgm
gard...@gmail.com
07:53:10 31 thg 3, 202031/3/20
đến
On Thursday, May 23, 2019 at 4:34:14 AM UTC-4, Andrea Marchesini wrote:
kyle.bl...@gmail.com
14:38:50 31 thg 3, 202031/3/20
đến
bb08...@gmail.com
23:10:46 7 thg 4, 20207/4/20
đến
Add me. Hhhh
tysoo...@gmail.com
09:32:10 11 thg 4, 202011/4/20
đến
در پنجشنبه 23 مهٔ 2019، ساعت 13:04:14 (UTC+4:30)، Andrea Marchesini نوشته:
maksga...@gmail.com
12:40:43 13 thg 4, 202013/4/20
đến
четверг, 23 мая 2019 г., 11:34:14 UTC+3 пользователь Andrea Marchesini написал:
jeuxsum...@gmail.com
09:24:15 17 thg 4, 202017/4/20
đến
tmebe...@yahoo.com
01:05:39 24 thg 4, 202024/4/20
đến
On Thursday, May 23, 2019 at 4:34:14 AM UTC-4, Andrea Marchesini wrote:
llil...@gmail.com
09:54:27 26 thg 4, 202026/4/20
đến
recheckd and is fine tru
jalal...@ictongiorgi.edu.it
06:56:46 30 thg 4, 202030/4/20
đến
jalal...@ictongiorgi.edu.it
06:57:10 30 thg 4, 202030/4/20
đến
jalal...@ictongiorgi.edu.it
06:57:34 30 thg 4, 202030/4/20
đến
sugyann...@gmail.com
09:08:40 3 thg 5, 20203/5/20
đến
> Link to the proposal:
> https://tools.ietf.org/html/draft-west-cookie-incrementalism-00
>
> Summary:
> "1. Treat the lack of an explicit "SameSite" attribute as
> "SameSite=Lax". That is, the "Set-Cookie" value "key=value" will
> produce a cookie equivalent to "key=value; SameSite=Lax".
> Cookies that require cross-site delivery can explicitly opt-into
> such behavior by asserting "SameSite=None" when creating a
> cookie.
> 2. Require the "Secure" attribute to be set for any cookie which
> asserts "SameSite=None" (similar conceptually to the behavior for
> the "__Secure-" prefix). That is, the "Set-Cookie" value
> "key=value; SameSite=None; Secure" will be accepted, while
> "key=value; SameSite=None" will be rejected."
>
>
> Platform coverage: all
>
> Estimated or target release: 69 - behind pref
>
> Preferences behind which this will be implemented:
> - network.cookie.sameSite.laxByDefault
> - network.cookie.sameSite.noneRequiresSecure (this requires the previous
> one to be set to true)
>
> Is this feature enabled by default in sandboxed iframes? yes.
>
> Do other browser engines implement this?
> - Chrome is implementing/experimenting this feature:
> https://blog.chromium.org/2019/05/improving-privacy-and-security-on-web.html
> - Safari: no signal yet.
>
> web-platform-tests: There is a pull-request
> https://github.com/web-platform-tests/wpt/pull/16957
> Implementing this feature, I added a mochitest to inspect cookies via
> CookieManager.
>
> Is this feature restricted to secure contexts? no
implement the post reply option
> Platform coverage: all
>
> Estimated or target release: 69 - behind pref
>
> Preferences behind which this will be implemented:
> - network.cookie.sameSite.laxByDefault
> - network.cookie.sameSite.noneRequiresSecure (this requires the previous
> one to be set to true)
>
> Is this feature enabled by default in sandboxed iframes? yes.
>
> Do other browser engines implement this?
> - Chrome is implementing/experimenting this feature:
> https://blog.chromium.org/2019/05/improving-privacy-and-security-on-web.html
> - Safari: no signal yet.
>
> web-platform-tests: There is a pull-request
> https://github.com/web-platform-tests/wpt/pull/16957
> Implementing this feature, I added a mochitest to inspect cookies via
> CookieManager.
>
> Is this feature restricted to secure contexts? no
rabixw...@gmail.com
17:38:35 2 thg 6, 20202/6/20
đến
El jueves, 23 de mayo de 2019, 2:34:14 (UTC-6), Andrea Marchesini escribió:
> Link to the proposal:
> https://tools.ietf.org/html/draft-west-cookie-incrementalism-00
>
> Summary:
> "1. Treat the lack of an explicit "SameSite" attribute as
> "SameSite=Lax". That is, the "Set-Cookie" value "key=value" will
> produce a cookie equivalent to "key=value; SameSite=Lax".
> Cookies that require cross-site delivery can explicitly opt-into
> such behavior by asserting "SameSite=None" when creating a
> cookie.
> 2. Require the "Secure" attribute to be set for any cookie which
> asserts "SameSite=None" (similar conceptually to the behavior for
> the "__Secure-" prefix). That is, the "Set-Cookie" value
> "key=value; SameSite=None; Secure" will be accepted, while
> "key=value; SameSite=None" will be rejected."
>
> Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1551798
> Link to the proposal:
> https://tools.ietf.org/html/draft-west-cookie-incrementalism-00
>
> Summary:
> "1. Treat the lack of an explicit "SameSite" attribute as
> "SameSite=Lax". That is, the "Set-Cookie" value "key=value" will
> produce a cookie equivalent to "key=value; SameSite=Lax".
> Cookies that require cross-site delivery can explicitly opt-into
> such behavior by asserting "SameSite=None" when creating a
> cookie.
> 2. Require the "Secure" attribute to be set for any cookie which
> asserts "SameSite=None" (similar conceptually to the behavior for
> the "__Secure-" prefix). That is, the "Set-Cookie" value
> "key=value; SameSite=None; Secure" will be accepted, while
> "key=value; SameSite=None" will be rejected."
>
nileshson...@gmail.com
12:26:19 16 thg 6, 202016/6/20
đến
Mike Conca
11:07:36 1 thg 7, 20201/7/20
đến
Starting with Beta 79 today, we are rolling out this change to the default behavior of SameSite cookies to a small percentage of the beta population. The initial target is 10%, slowly increasing to 50% by the end of the beta cycle. We will hold at 50% for at least two more beta cycles, at which point we will consider introducing this to a small percentage of the Firefox release population.
Known site breakage is being tracked here: https://bugzilla.mozilla.org/show_bug.cgi?id=1618610
Web developers can find more information here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite#Fixing_common_warnings
A good overview of this issue can be found here: https://web.dev/samesite-cookies-explained/
Mike Conca
Group Product Manager, Firefox Web Technologies
Known site breakage is being tracked here: https://bugzilla.mozilla.org/show_bug.cgi?id=1618610
Web developers can find more information here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite#Fixing_common_warnings
A good overview of this issue can be found here: https://web.dev/samesite-cookies-explained/
Mike Conca
Group Product Manager, Firefox Web Technologies
CJ Baumer
18:44:02 21 thg 7, 202021/7/20
đến
Mike Conca
10:28:35 22 thg 7, 202022/7/20
đến
On Tuesday, July 21, 2020 at 4:44:02 PM UTC-6, CJ Baumer wrote:
> To clarify, Firefox intends to roll out both SameSite=Lax as default and require Secure for SameSite=None at the same time correct?
Yes, these changes are both rolling out simultaneously.
> To clarify, Firefox intends to roll out both SameSite=Lax as default and require Secure for SameSite=None at the same time correct?
mdr2...@gmail.com
21:21:14 22 thg 7, 202022/7/20
đến
On Thursday, May 23, 2019 at 1:34:14 AM UTC-7, Andrea Marchesini wrote:
> Link to the proposal:
> https://tools.ietf.org/html/draft-west-cookie-incrementalism-00
>
> Summary:
> "1. Treat the lack of an explicit "SameSite" attribute as
> "SameSite=Lax". That is, the "Set-Cookie" value "key=value" will
> produce a cookie equivalent to "key=value; SameSite=Lax".
> Cookies that require cross-site delivery can explicitly opt-into
> such behavior by asserting "SameSite=None" when creating a
> cookie.
> 2. Require the "Secure" attribute to be set for any cookie which
> asserts "SameSite=None" (similar conceptually to the behavior for
> the "__Secure-" prefix). That is, the "Set-Cookie" value
> "key=value; SameSite=None; Secure" will be accepted, while
> "key=value; SameSite=None" will be rejected."
>
> Link to the proposal:
> https://tools.ietf.org/html/draft-west-cookie-incrementalism-00
>
> Summary:
> "1. Treat the lack of an explicit "SameSite" attribute as
> "SameSite=Lax". That is, the "Set-Cookie" value "key=value" will
> produce a cookie equivalent to "key=value; SameSite=Lax".
> Cookies that require cross-site delivery can explicitly opt-into
> such behavior by asserting "SameSite=None" when creating a
> cookie.
> 2. Require the "Secure" attribute to be set for any cookie which
> asserts "SameSite=None" (similar conceptually to the behavior for
> the "__Secure-" prefix). That is, the "Set-Cookie" value
> "key=value; SameSite=None; Secure" will be accepted, while
> "key=value; SameSite=None" will be rejected."
>
gf00...@gmail.com
16:31:00 26 thg 7, 202026/7/20
đến
theil...@gmail.com
06:46:38 2 thg 8, 20202/8/20
đến
בתאריך יום חמישי, 23 במאי 2019 בשעה 11:34:14 UTC+3, מאת Andrea Marchesini:
lescanom...@gmail.com
16:07:44 2 thg 8, 20202/8/20
đến
El jueves, 23 de mayo de 2019, 5:34:14 (UTC-3), Andrea Marchesini escribió:
Karla Saenz
05:35:25 12 thg 8, 202012/8/20
đến
Michael Reeps
12:59:00 14 thg 9, 202014/9/20
đến
On Wednesday, July 1, 2020 at 11:07:36 AM UTC-4, mco...@mozilla.com wrote:
I am seeing this warning now, even when I am in a first party context:
Cookie "xxx” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. The cookies in question are set in the .cfainstitute.org domain and being read only in that same domain. Am I to infer they are going to be rejected anyway, simply because they lack the "secure" attribute?
Daniel Veditz
15:24:44 14 thg 9, 202014/9/20
đến Michael Reeps, dev-platform
On Mon, Sep 14, 2020 at 10:00 AM Michael Reeps <mre...@gmail.com> wrote:
> I am seeing this warning now, even when I am in a first party context:
>
> Cookie "xxx” will be soon rejected because it has the “SameSite” attribute
> set to “None” or an invalid value, without the “secure” attribute. The
> cookies in question are set in the .cfainstitute.org domain and being
> read only in that same domain. Am I to infer they are going to be rejected
> anyway, simply because they lack the "secure" attribute?
>
That is what the proposed spec change requires, yes.
> I am seeing this warning now, even when I am in a first party context:
>
> Cookie "xxx” will be soon rejected because it has the “SameSite” attribute
> set to “None” or an invalid value, without the “secure” attribute. The
> cookies in question are set in the .cfainstitute.org domain and being
> read only in that same domain. Am I to infer they are going to be rejected
> anyway, simply because they lack the "secure" attribute?
>
https://tools.ietf.org/html/draft-west-cookie-incrementalism-01#section-3.2
-Dan Veditz
Daniel Veditz
13:37:25 15 thg 9, 202015/9/20
đến Michael Reeps, dev-platform
On Tue, Sep 15, 2020 at 10:13 AM Michael Reeps <mre...@gmail.com> wrote:
> Thank you for the prompt response to my email. I guess I interpreted the
> standard to mean only when the cookie was intended for cross-site delivery,
> which these are not:
>
If the bug carries the SameSite=None attribute how could the browser
possibly know the cookie is only used samesite? In fact it would appear the
cookie has gone out of its way to announce it is NOT only used on the same
site. The "reject" language in the spec seems pretty clear cut.
> I see this message with nearly all of my Adobe Analytics cookies, Google
> Analytics, and a number of others, and am going to be reliant on those
> vendors to address this issue. The folks at Adobe Client Care were
> completely unaware of Mozilla's interpretation when I reported it, which
> differs from Chrome's. Can you give any insight as to when "soon" is in
> "will be soon rejected"?
>
That we differ from Chrome is concerning. The main reason we're following
the spec so carefully is in order to be compatible with the web's 800lb
gorilla. As it happens I'll be in a meeting with the spec author later
today; I'll ask him about Chrome's implementation of that part, and whether
the spec needs an update.
I don't know how soon -- better question for Andrea (original poster) who
implemented this. I suspect it's "when Chrome does it first". We like the
security improvement, but there are already enough "works in Chrome" sites
through no fault of our own. We can't afford adding to that number
unnecessarily through a self-inflicted wound.
> Thank you for the prompt response to my email. I guess I interpreted the
> standard to mean only when the cookie was intended for cross-site delivery,
> which these are not:
>
If the bug carries the SameSite=None attribute how could the browser
possibly know the cookie is only used samesite? In fact it would appear the
cookie has gone out of its way to announce it is NOT only used on the same
site. The "reject" language in the spec seems pretty clear cut.
> I see this message with nearly all of my Adobe Analytics cookies, Google
> Analytics, and a number of others, and am going to be reliant on those
> vendors to address this issue. The folks at Adobe Client Care were
> completely unaware of Mozilla's interpretation when I reported it, which
> differs from Chrome's. Can you give any insight as to when "soon" is in
> "will be soon rejected"?
>
That we differ from Chrome is concerning. The main reason we're following
the spec so carefully is in order to be compatible with the web's 800lb
gorilla. As it happens I'll be in a meeting with the spec author later
today; I'll ask him about Chrome's implementation of that part, and whether
the spec needs an update.
I don't know how soon -- better question for Andrea (original poster) who
implemented this. I suspect it's "when Chrome does it first". We like the
security improvement, but there are already enough "works in Chrome" sites
through no fault of our own. We can't afford adding to that number
unnecessarily through a self-inflicted wound.
Aung Aung
19:39:06 1 thg 10, 20211/10/21
đến
On Thursday, May 23, 2019 at 3:04:14 PM UTC+6:30, Andrea Marchesini wrote:
> Link to the proposal:
> https://tools.ietf.org/html/draft-west-cookie-incrementalism-00
>
> Summary:
> "1. Treat the lack of an explicit "SameSite" attribute as
> "SameSite=Lax". That is, the "Set-Cookie" value "key=value" will
> produce a cookie equivalent to "key=value; SameSite=Lax".
> Cookies that require cross-site delivery can explicitly opt-into
> such behavior by asserting "SameSite=None" when creating a
> cookie.
> 2. Require the "Secure" attribute to be set for any cookie which
> asserts "SameSite=None" (similar conceptually to the behavior for
> the "__Secure-" prefix). That is, the "Set-Cookie" value
> "key=value; SameSite=None; Secure" will be accepted, while
> "key=value; SameSite=None" will be rejected."
>
> Link to the proposal:
> https://tools.ietf.org/html/draft-west-cookie-incrementalism-00
>
> Summary:
> "1. Treat the lack of an explicit "SameSite" attribute as
> "SameSite=Lax". That is, the "Set-Cookie" value "key=value" will
> produce a cookie equivalent to "key=value; SameSite=Lax".
> Cookies that require cross-site delivery can explicitly opt-into
> such behavior by asserting "SameSite=None" when creating a
> cookie.
> 2. Require the "Secure" attribute to be set for any cookie which
> asserts "SameSite=None" (similar conceptually to the behavior for
> the "__Secure-" prefix). That is, the "Set-Cookie" value
> "key=value; SameSite=None; Secure" will be accepted, while
> "key=value; SameSite=None" will be rejected."
>
Elle Biala
01:48:17 16 thg 12, 202216/12/22
đến
Marko Makinen
17:53:53 7 thg 2, 20247 thg 2
đến
уторак, 3. децембар 2019. у 21:10:21 UTC+1, raqu...@gmail.com је написао/ла:
> sou curiosa, estou busca de trabalho na área tecnologia, alguém pode me indicar, curso de web! boa tarde
0 tin nhắn mới