Thank you for all the hard work you've put into this, Niklas! I'm happy to see this shipping!
On Wed, 15 Dec 2021 at 17:54, Niklas Gögge <[email protected]> wrote: > Hi, everyone! > > Here is a quick update to clear up the uncertainty and confusion. > > In the past two weeks we have taken a look at the SameSite cookie WPTs > that Firefox was failing, investigated the breakages that were reported to > us and also had QA testing done to ensure there are no breakages on any > major sites. > With renewed confidence, we have reached the conclusion that we will still > ship in Firefox 96. > > - Niklas > On Tuesday, November 30, 2021 at 8:24:13 PM UTC+1 Dragana Damjanovic wrote: > >> Hi, >> >> I would prefer that all breakages reported so far are resolved or >> otherwise explained before this hits the late Beta. Some of these bugs were >> reported as late as last month. >> >> Can we have a checkpoint before this hits the late Beta? An internal >> email would be enough. >> Please close bugs that are not reproducible or write a comment that >> explains your investigation. I would expect that all breakage bugs are >> closed before shipping. >> >> dragana >> >> On Tue, Nov 30, 2021 at 6:47 PM Niklas Gögge <[email protected]> wrote: >> >>> Hi Dragana and Valentin, We are fairly confident that we won't face >>> major breakages when released given that: - We have had these features >>> enabled on Nightly for over a year. - We will have them on Beta soon. - >>> Google Chrome has shipped them over a year ago. That being said, there can >>> of course still be bugs and we have been going through the breakages listed >>> in https://bugzilla.mozilla.org/show_bug.cgi?id=1618610. So far all the >>> breakages we got to were no longer reproducible and we will continue to >>> verify the rest. Thanks for pointing out the WPT failures, we will make >>> sure to investigate those. Should we get a significant amount of breakage >>> reports in Beta we will delay the shipping. >>> >>> On Tuesday, November 30, 2021 at 3:34:28 PM UTC+1 [email protected] >>> wrote: >>> >>>> There are also a number of sameSite web platform tests that are >>>> currently marked as failing. >>>> Before shipping this we should at least try to fix those which pass in >>>> other browsers. >>>> https://wpt.fyi/results/cookies?label=experimental&label=master&aligned >>>> >>>> >>>> >>>> On Tue, 30 Nov 2021 at 15:28, Dragana Damjanovic < >>>> [email protected]> wrote: >>>> >>>>> Hi, >>>>> >>>>> I have a question about the bugs linked to: >>>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1618610 >>>>> and also >>>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1651119 >>>>> >>>>> There are some webcompat issues linked as well. >>>>> Are we confident that these issues are fixed?Can we close them? I >>>>> would prefer a comment in them saying what is the status, or do we have a >>>>> doc that analyzes these issues? >>>>> Do these issues reproduce in Chrome or are they Firefox specific? In >>>>> the latter case that would be a bug in our code. >>>>> >>>>> >>>>> dragana >>>>> >>>>> On Tue, Nov 30, 2021 at 1:45 PM Niklas Gögge <[email protected]> >>>>> wrote: >>>>> >>>>>> As of Firefox 96 we intend to ship “SameSite=Lax by default”, >>>>>> “SameSite=None only if secure” and “Schemeful SameSite” on all platforms. >>>>>> These features have been developed behind the following preferences: >>>>>> “network.cookie.sameSite.laxByDefault”, >>>>>> “network.cookie.sameSite.noneRequiresSecure”, and >>>>>> “network.cookie.sameSite.schemeful”. >>>>>> >>>>>> Link to the proposal: >>>>>> https://datatracker.ietf.org/doc/html/draft-west-cookie-incrementalism-01 >>>>>> >>>>>> Summary: >>>>>> "1. Treat the lack of an explicit "SameSite" attribute as >>>>>> "SameSite=Lax". That is, the "Set-Cookie" value "key=value" >>>>>> will >>>>>> produce a cookie equivalent to "key=value; SameSite=Lax". >>>>>> Cookies that require cross-site delivery can explicitly >>>>>> opt-into >>>>>> such behavior by asserting "SameSite=None" when creating a >>>>>> cookie. >>>>>> 2. Require the "Secure" attribute to be set for any cookie which >>>>>> asserts "SameSite=None" (similar conceptually to the behavior >>>>>> for >>>>>> the "__Secure-" prefix). That is, the "Set-Cookie" value >>>>>> "key=value; SameSite=None; Secure" will be accepted, while >>>>>> "key=value; SameSite=None" will be rejected. >>>>>> 3. Require both the scheme and registrable domain of a request's >>>>>> client's "site for cookies" to match the target URL when >>>>>> deciding >>>>>> whether a given request is considered same-site. That is, a >>>>>> request initiated from "http://site.example"; to >>>>>> "https://site.example"; should be considered cross-site." >>>>>> >>>>>> Google Chrome has already shipped these features. >>>>>> >>>>>> Bug to turn on by default: >>>>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1617609 >>>>>> >>>>>> SameSite MDN Docs: >>>>>> https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite >>>>>> web-platform-tests: >>>>>> >>>>>> https://github.com/web-platform-tests/wpt/tree/master/cookies/samesite-none-secure >>>>>> >>>>>> https://github.com/web-platform-tests/wpt/tree/master/cookies/schemeful-same-site >>>>>> https://github.com/web-platform-tests/wpt/tree/master/cookies/samesite >>>>>> >>>>>> -- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "[email protected]" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to [email protected]. >>>>>> To view this discussion on the web visit >>>>>> https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/454e63d5-17fb-45d6-a0d2-ab277d049de3n%40mozilla.org >>>>>> <https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/454e63d5-17fb-45d6-a0d2-ab277d049de3n%40mozilla.org?utm_medium=email&utm_source=footer> >>>>>> . >>>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "[email protected]" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> >>>> To view this discussion on the web visit >>>>> https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CACOB9hDHfAEj%3DpziqMmSK9GPzOwbsBb0yMLXEZ_OoGJdk1LayA%40mail.gmail.com >>>>> <https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CACOB9hDHfAEj%3DpziqMmSK9GPzOwbsBb0yMLXEZ_OoGJdk1LayA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CACQYfiKx%3DFG6iWv%3D05mTQRGPXWJXRiSNq7xqmpZ%2B2kw5H4UOQA%40mail.gmail.com.
