Hi, everyone!
Here is a quick update to clear up the uncertainty and confusion. In the past two weeks we have taken a look at the SameSite cookie WPTs that Firefox was failing, investigated the breakages that were reported to us and also had QA testing done to ensure there are no breakages on any major sites. With renewed confidence, we have reached the conclusion that we will still ship in Firefox 96. - Niklas On Tuesday, November 30, 2021 at 8:24:13 PM UTC+1 Dragana Damjanovic wrote: > Hi, > > I would prefer that all breakages reported so far are resolved or > otherwise explained before this hits the late Beta. Some of these bugs were > reported as late as last month. > > Can we have a checkpoint before this hits the late Beta? An internal email > would be enough. > Please close bugs that are not reproducible or write a comment that > explains your investigation. I would expect that all breakage bugs are > closed before shipping. > > dragana > > On Tue, Nov 30, 2021 at 6:47 PM Niklas Gögge <[email protected]> wrote: > >> Hi Dragana and Valentin, We are fairly confident that we won't face major >> breakages when released given that: - We have had these features enabled on >> Nightly for over a year. - We will have them on Beta soon. - Google Chrome >> has shipped them over a year ago. That being said, there can of course >> still be bugs and we have been going through the breakages listed in >> https://bugzilla.mozilla.org/show_bug.cgi?id=1618610. So far all the >> breakages we got to were no longer reproducible and we will continue to >> verify the rest. Thanks for pointing out the WPT failures, we will make >> sure to investigate those. Should we get a significant amount of breakage >> reports in Beta we will delay the shipping. >> >> On Tuesday, November 30, 2021 at 3:34:28 PM UTC+1 [email protected] >> wrote: >> >>> There are also a number of sameSite web platform tests that are >>> currently marked as failing. >>> Before shipping this we should at least try to fix those which pass in >>> other browsers. >>> https://wpt.fyi/results/cookies?label=experimental&label=master&aligned >>> >>> >>> >>> On Tue, 30 Nov 2021 at 15:28, Dragana Damjanovic < >>> [email protected]> wrote: >>> >>>> Hi, >>>> >>>> I have a question about the bugs linked to: >>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1618610 >>>> and also >>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1651119 >>>> >>>> There are some webcompat issues linked as well. >>>> Are we confident that these issues are fixed?Can we close them? I would >>>> prefer a comment in them saying what is the status, or do we have a doc >>>> that analyzes these issues? >>>> Do these issues reproduce in Chrome or are they Firefox specific? In >>>> the latter case that would be a bug in our code. >>>> >>>> >>>> dragana >>>> >>>> On Tue, Nov 30, 2021 at 1:45 PM Niklas Gögge <[email protected]> >>>> wrote: >>>> >>>>> As of Firefox 96 we intend to ship “SameSite=Lax by default”, >>>>> “SameSite=None only if secure” and “Schemeful SameSite” on all platforms. >>>>> These features have been developed behind the following preferences: >>>>> “network.cookie.sameSite.laxByDefault”, >>>>> “network.cookie.sameSite.noneRequiresSecure”, and >>>>> “network.cookie.sameSite.schemeful”. >>>>> >>>>> Link to the proposal: >>>>> https://datatracker.ietf.org/doc/html/draft-west-cookie-incrementalism-01 >>>>> >>>>> Summary: >>>>> "1. Treat the lack of an explicit "SameSite" attribute as >>>>> "SameSite=Lax". That is, the "Set-Cookie" value "key=value" >>>>> will >>>>> produce a cookie equivalent to "key=value; SameSite=Lax". >>>>> Cookies that require cross-site delivery can explicitly opt-into >>>>> such behavior by asserting "SameSite=None" when creating a >>>>> cookie. >>>>> 2. Require the "Secure" attribute to be set for any cookie which >>>>> asserts "SameSite=None" (similar conceptually to the behavior >>>>> for >>>>> the "__Secure-" prefix). That is, the "Set-Cookie" value >>>>> "key=value; SameSite=None; Secure" will be accepted, while >>>>> "key=value; SameSite=None" will be rejected. >>>>> 3. Require both the scheme and registrable domain of a request's >>>>> client's "site for cookies" to match the target URL when >>>>> deciding >>>>> whether a given request is considered same-site. That is, a >>>>> request initiated from "http://site.example"; to >>>>> "https://site.example"; should be considered cross-site." >>>>> >>>>> Google Chrome has already shipped these features. >>>>> >>>>> Bug to turn on by default: >>>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1617609 >>>>> >>>>> SameSite MDN Docs: >>>>> https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite >>>>> web-platform-tests: >>>>> >>>>> https://github.com/web-platform-tests/wpt/tree/master/cookies/samesite-none-secure >>>>> >>>>> https://github.com/web-platform-tests/wpt/tree/master/cookies/schemeful-same-site >>>>> https://github.com/web-platform-tests/wpt/tree/master/cookies/samesite >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "[email protected]" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/454e63d5-17fb-45d6-a0d2-ab277d049de3n%40mozilla.org >>>>> >>>>> <https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/454e63d5-17fb-45d6-a0d2-ab277d049de3n%40mozilla.org?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "[email protected]" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> >>> To view this discussion on the web visit >>>> https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CACOB9hDHfAEj%3DpziqMmSK9GPzOwbsBb0yMLXEZ_OoGJdk1LayA%40mail.gmail.com >>>> >>>> <https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CACOB9hDHfAEj%3DpziqMmSK9GPzOwbsBb0yMLXEZ_OoGJdk1LayA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/9d382272-cecb-4cb3-b02f-f442c1dc32f4n%40mozilla.org.
