There are also a number of sameSite web platform tests that are currently marked as failing. Before shipping this we should at least try to fix those which pass in other browsers. https://wpt.fyi/results/cookies?label=experimental&label=master&aligned
On Tue, 30 Nov 2021 at 15:28, Dragana Damjanovic <[email protected]> wrote: > Hi, > > I have a question about the bugs linked to: > https://bugzilla.mozilla.org/show_bug.cgi?id=1618610 > and also > https://bugzilla.mozilla.org/show_bug.cgi?id=1651119 > > There are some webcompat issues linked as well. > Are we confident that these issues are fixed?Can we close them? I would > prefer a comment in them saying what is the status, or do we have a doc > that analyzes these issues? > Do these issues reproduce in Chrome or are they Firefox specific? In the > latter case that would be a bug in our code. > > > dragana > > On Tue, Nov 30, 2021 at 1:45 PM Niklas Gögge <[email protected]> wrote: > >> As of Firefox 96 we intend to ship “SameSite=Lax by default”, >> “SameSite=None only if secure” and “Schemeful SameSite” on all platforms. >> These features have been developed behind the following preferences: >> “network.cookie.sameSite.laxByDefault”, >> “network.cookie.sameSite.noneRequiresSecure”, and >> “network.cookie.sameSite.schemeful”. >> >> Link to the proposal: >> https://datatracker.ietf.org/doc/html/draft-west-cookie-incrementalism-01 >> >> Summary: >> "1. Treat the lack of an explicit "SameSite" attribute as >> "SameSite=Lax". That is, the "Set-Cookie" value "key=value" will >> produce a cookie equivalent to "key=value; SameSite=Lax". >> Cookies that require cross-site delivery can explicitly opt-into >> such behavior by asserting "SameSite=None" when creating a >> cookie. >> 2. Require the "Secure" attribute to be set for any cookie which >> asserts "SameSite=None" (similar conceptually to the behavior for >> the "__Secure-" prefix). That is, the "Set-Cookie" value >> "key=value; SameSite=None; Secure" will be accepted, while >> "key=value; SameSite=None" will be rejected. >> 3. Require both the scheme and registrable domain of a request's >> client's "site for cookies" to match the target URL when deciding >> whether a given request is considered same-site. That is, a >> request initiated from "http://site.example"; to >> "https://site.example"; should be considered cross-site." >> >> Google Chrome has already shipped these features. >> >> Bug to turn on by default: >> https://bugzilla.mozilla.org/show_bug.cgi?id=1617609 >> >> SameSite MDN Docs: >> https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite >> web-platform-tests: >> >> https://github.com/web-platform-tests/wpt/tree/master/cookies/samesite-none-secure >> >> https://github.com/web-platform-tests/wpt/tree/master/cookies/schemeful-same-site >> https://github.com/web-platform-tests/wpt/tree/master/cookies/samesite >> >> -- >> You received this message because you are subscribed to the Google Groups >> "[email protected]" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/454e63d5-17fb-45d6-a0d2-ab277d049de3n%40mozilla.org >> <https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/454e63d5-17fb-45d6-a0d2-ab277d049de3n%40mozilla.org?utm_medium=email&utm_source=footer> >> . >> > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CACOB9hDHfAEj%3DpziqMmSK9GPzOwbsBb0yMLXEZ_OoGJdk1LayA%40mail.gmail.com > <https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CACOB9hDHfAEj%3DpziqMmSK9GPzOwbsBb0yMLXEZ_OoGJdk1LayA%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CACQYfiK1NNC29EURXY10T%2Bp_Hva_qyJJUUicereqmVLeab8Qqw%40mail.gmail.com.
