Intent to implement and ship: same-site cookies

[Francois Marier]

We intend to ship same-site cookies in Firefox 61. This new cookie
attribute allows sites to prevent cross-site requests from using those
cookies which provides a mechanism for web sites to protect themselves
against Cross-Site Request Forgery (CSRF) attacks.

Specification (cookies):
https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02

Tracking bug: https://bugzilla.mozilla.org/show_bug.cgi?id=795346

Platform coverage: all

Gating preference: network.cookie.same-site.enabled

Devtools support: https://bugzilla.mozilla.org/show_bug.cgi?id=1452715

Developer documentation:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#Directives

Web Platform Tests: http://rfc6265.biz/tests/ (until
https://github.com/w3c/web-platform-tests/issues/8581 is fixed)

Secure contexts: not restricted to secure contexts since cookies are
already available in non-secure contexts

Other browsers:
- Chrome shipped this feature in 51.
- Safari: https://bugs.webkit.org/show_bug.cgi?id=159464
- Edge: https://github.com/MicrosoftEdge/Status/issues/201

Francois and Christoph

[Mike West]

Yay! This is exciting, thank you!

On Tue, Apr 10, 2018 at 4:30 AM Francois Marier <fran...@mozilla.com>
wrote:

> We intend to ship same-site cookies in Firefox 61. This new cookie
> attribute allows sites to prevent cross-site requests from using those
> cookies which provides a mechanism for web sites to protect themselves
> against Cross-Site Request Forgery (CSRF) attacks.
>
> Specification (cookies):
> https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02
>
> Tracking bug: https://bugzilla.mozilla.org/show_bug.cgi?id=795346
>
> Platform coverage: all
>
> Gating preference: network.cookie.same-site.enabled
>
> Devtools support: https://bugzilla.mozilla.org/show_bug.cgi?id=1452715
>
> Developer documentation:
>
> https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#Directives
>
> Web Platform Tests: http://rfc6265.biz/tests/ (until
> https://github.com/w3c/web-platform-tests/issues/8581 is fixed)
>

https://github.com/w3c/web-platform-tests/issues/2669 is actually the issue
blocking `SameSite`. The issue you've referenced is blocking our port of
some of the tests in https://github.com/abarth/http-state/, but not
`SameSite`.

There's an open PR (https://github.com/w3c/web-platform-tests/pull/10166)
that I hope will land somewhat soon. Once it lands, I'd appreciate y'all's
help porting the tests from https://github.com/mikewest/rfc6265-biz. I hope
it'll be reasonably straightforward.

> Secure contexts: not restricted to secure contexts since cookies are
> already available in non-secure contexts
>

FWIW, I justified this to myself when Chrome shipped it by noting that this
would lead to a net reduction of the number of cookies flowing over HTTP. I
still think that's a reasonable stance.

[Jan Odvarko]

On Tue, Apr 10, 2018 at 4:25 AM, Francois Marier <fran...@mozilla.com>
wrote:

> We intend to ship same-site cookies in Firefox 61. This new cookie
> attribute allows sites to prevent cross-site requests from using those
> cookies which provides a mechanism for web sites to protect themselves
> against Cross-Site Request Forgery (CSRF) attacks.
>
> Specification (cookies):
> https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02
>
> Tracking bug: https://bugzilla.mozilla.org/show_bug.cgi?id=795346
>
> Platform coverage: all
>
> Gating preference: network.cookie.same-site.enabled
>
> Devtools support: https://bugzilla.mozilla.org/show_bug.cgi?id=1452715

Excellent, and thanks for filing bug for DevTools!

Jan Honza Odvarko

[Anne van Kesteren]

On Tue, Apr 10, 2018 at 4:25 AM, Francois Marier <fran...@mozilla.com> wrote:

> Secure contexts: not restricted to secure contexts since cookies are
> already available in non-secure contexts

I'm not entirely convinced that is a good enough reason. We keep
trying to find ways to limit cookies transmitted over HTTP (and
limiting HTTP in general). Offering better cookies over HTTPS seems
like a good incentive for sites to migrate.


--
https://annevankesteren.nl/

[Jan Odvarko]

On Tue, Apr 10, 2018 at 4:25 AM, Francois Marier <fran...@mozilla.com>
wrote:

> We intend to ship same-site cookies in Firefox 61. This new cookie
> attribute allows sites to prevent cross-site requests from using those
> cookies which provides a mechanism for web sites to protect themselves
> against Cross-Site Request Forgery (CSRF) attacks.
>
> Specification (cookies):
> https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02
>
> Tracking bug: https://bugzilla.mozilla.org/show_bug.cgi?id=795346
>
> Platform coverage: all
>
> Gating preference: network.cookie.same-site.enabled
>
> Devtools support: https://bugzilla.mozilla.org/show_bug.cgi?id=1452715

For anyone interested in DevTools code-base:

The bug is now labeled as good-first-bug and there are detailed
instructions about how to fix it and write a test.

Jan Honza Odvarko

[Daniel Veditz]

On Mon, Apr 9, 2018 at 11:56 PM, Anne van Kesteren <ann...@annevk.nl> wrote:

> We keep
> ​ ​
> trying to find ways to limit cookies transmitted over HTTP (and
> limiting HTTP in general). Offering better cookies over HTTPS seems
> like a good incentive for sites to migrate.
>

To me "better cookies" means the __Secure- and __Host- cookie prefixes and
new rules that ​favor keeping secure cookies over insecure ones. I'm with
Mike in thinking of samesite cookies as fewer cookies, but mostly we just
want to implement it according to the spec so it's compatible.

-Dan Veditz

[Francois Marier]

On 09/04/18 07:25 PM, Francois Marier wrote:
> We intend to ship same-site cookies in Firefox 61.

This has now been uplifted and will be shipping in Firefox 60.

Status can be tracked on https://wiki.mozilla.org/Security/SameSiteCookies.

Francois