You do not have permission to delete messages in this group
Copy link
Report message
Sign in to report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to
We intend to ship same-site cookies in Firefox 61. This new cookie
attribute allows sites to prevent cross-site requests from using those
cookies which provides a mechanism for web sites to protect themselves
against Cross-Site Request Forgery (CSRF) attacks.
> Secure contexts: not restricted to secure contexts since cookies are
> already available in non-secure contexts
>
FWIW, I justified this to myself when Chrome shipped it by noting that this
would lead to a net reduction of the number of cookies flowing over HTTP. I
still think that's a reasonable stance.
Jan Odvarko
unread,
Apr 10, 2018, 2:21:13 AM4/10/18
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Sign in to report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to Francois Marier, dev-platform
On Tue, Apr 10, 2018 at 4:25 AM, Francois Marier <fran...@mozilla.com>
wrote:
Excellent, and thanks for filing bug for DevTools!
Jan Honza Odvarko
Anne van Kesteren
unread,
Apr 10, 2018, 2:57:48 AM4/10/18
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Sign in to report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to Francois Marier, dev-platform
On Tue, Apr 10, 2018 at 4:25 AM, Francois Marier <fran...@mozilla.com> wrote:
> Secure contexts: not restricted to secure contexts since cookies are
> already available in non-secure contexts
I'm not entirely convinced that is a good enough reason. We keep
trying to find ways to limit cookies transmitted over HTTP (and
limiting HTTP in general). Offering better cookies over HTTPS seems
like a good incentive for sites to migrate.
The bug is now labeled as good-first-bug and there are detailed
instructions about how to fix it and write a test.
Jan Honza Odvarko
Daniel Veditz
unread,
Apr 10, 2018, 1:01:42 PM4/10/18
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Sign in to report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to Anne van Kesteren, dev-platform, Francois Marier
On Mon, Apr 9, 2018 at 11:56 PM, Anne van Kesteren <ann...@annevk.nl> wrote:
> We keep
>
> trying to find ways to limit cookies transmitted over HTTP (and
> limiting HTTP in general). Offering better cookies over HTTPS seems
> like a good incentive for sites to migrate.
>
To me "better cookies" means the __Secure- and __Host- cookie prefixes and
new rules that favor keeping secure cookies over insecure ones. I'm with
Mike in thinking of samesite cookies as fewer cookies, but mostly we just
want to implement it according to the spec so it's compatible.
-Dan Veditz
Francois Marier
unread,
Apr 20, 2018, 6:07:09 PM4/20/18
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Sign in to report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to
On 09/04/18 07:25 PM, Francois Marier wrote:
> We intend to ship same-site cookies in Firefox 61.
This has now been uplifted and will be shipping in Firefox 60.