[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Page MenuHomePhabricator

SameSite cookie issues
Open, Needs TriagePublic

Description

This is a tracking task for grouping issues related to the SameSite cookie flag.

SameSite=Strict prevents access to the cookie unless the request originates from the same domain. SameSite=Lax is similar but exempts top-level GET requests (such as loading a new page by clicking on a link). SameSite=None is the traditional behavior (no restrictions) which used to be the default, but modern browsers are increasingly defaulting to SameSite=Lax, and also starting to ignore SameSite=None when the cookie is not set with the Secure flag (and over HTTPS). Some older browsers OTOH interpret any value as Strict. (details, details)

"Same domain" also means same scheme; this might impact mixed-protocol non-Wikimedia sites and leftover HTTP links on Wikimedia sites.


Both Firefox and Chrome do (did?) default to None for top-level requests when the cookie is less than two-minutes old. (source).


Spec:


Testing:

  • current browser behavior: https://samesite-sandbox.glitch.me/ - with the new SameSite behavior, it should be all green.
  • Chrome: override with same-site-by-default-cookies and cookies-without-same-site-must-be-secure
  • Firefox: override with network.cookie.sameSite.laxByDefault and network.cookie.sameSite.noneRequiresSecure

Related Objects

StatusSubtypeAssignedTask
OpenNone
InvalidNone
Resolvedtstarling
DuplicateNone
InvalidNone
InvalidNone
ResolvedKrinkle
ResolvedDLynch
ResolvedTgr
OpenNone
ResolvedReedy
ResolvedBUG REPORTMichael
DeclinedNone
DeclinedNone
OpenBUG REPORTNone
DeclinedBUG REPORTNone
OpenNone
Resolvedcicalese
InvalidBUG REPORTNone
OpenNone
OpenCDanis
Resolvedtstarling

Event Timeline

Does this announcement mean that SameSite issues will become much more widespread starting today?

Firefox rolls out Total Cookie Protection by default to all users worldwide
Starting today, Firefox is rolling out Total Cookie Protection by default to all Firefox users worldwide [...]
Total Cookie Protection works by creating a separate “cookie jar” for each website you visit. Instead of allowing trackers to link up your behavior on multiple sites, they just get to see behavior on individual sites.

https://blog.mozilla.org/en/products/firefox/firefox-rolls-out-total-cookie-protection-by-default-to-all-users-worldwide/

Some of the depending bugs are quite significant, for instance T277904 . If the sitenotice cannot be dismissed any more, wikis should probably be advised to stop using it until the bug is solved. Generally speaking, some testing and communication is likely needed here.

Does [the Total Cookie Protection] announcement mean that SameSite issues will become much more widespread starting today?

The more technical spec for this is State Partitioning. It will probably cause similar issues (note that the current version of the spec talks about sites "having the same registrable domain", so e.g. en.wikipedia.org and de.wikipedia.org would be considered same-site; but login.wikimedia.org not), but it's only enabled for private browsing or when Enhanced Tracking Protection is manually set to strict mode (which warns that "may cause some sites or content to break"), which given the low market share of Firefox, means it will effect a fairly small part of the audience.

That said, what they call Network Partitioning is enabled for everyone, and might have performance implications - details are scarce, but it seems to suggest e.g. DNS cache and HTTP cache would be split by referrer domain.

which given the low market share of Firefox, means it will effect a fairly small part of the audience.

Well, IE11 has even smaller share I think, but because of supporting it we were/are stuck with some pre-historic ECMAScript.