Re: Intent to implement: Cookie SameSite=lax by default and SameSite=none only if secure
Asi O es mejor + A cookie associated with a resource at http://trc.taboola.com/ was set with `SameSite=None` but without `Secure`. A future release of Chrome will only deliver cookies marked `SameSite=None` if they are also marked `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5633521622188032. Add:lpcres.delve.office.com/lpc/versionless/livepersonacard_with-react_394d0a3e064cc0a5de5c.js:16 Some icons were re-registered. Applications should only call registerIcons for any given icon once. Redefining what an icon is may have unintended consequences. Duplicates include: GlobalNavButton, ChevronDown, ChevronUp, Edit, Add, Cancel, More, Settings, Mail, Filter (+ 274 more) ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Intent to implement: Cookie SameSite=lax by default and SameSite=none only if secure
El jueves, 23 de mayo de 2019, 4:34:14 (UTC-4), Andrea Marchesini escribió: > Link to the proposal: > https://tools.ietf.org/html/draft-west-cookie-incrementalism-00 > > Summary: > "1. Treat the lack of an explicit "SameSite" attribute as >"SameSite=Lax". That is, the "Set-Cookie" value "key=value" will >produce a cookie equivalent to "key=value; SameSite=Lax". >Cookies that require cross-site delivery can explicitly opt-into >such behavior by asserting "SameSite=None" when creating a >cookie. >2. Require the "Secure" attribute to be set for any cookie which >asserts "SameSite=None" (similar conceptually to the behavior for >the "__Secure-" prefix). That is, the "Set-Cookie" value >"key=value; SameSite=None; Secure" will be accepted, while >"key=value; SameSite=None" will be rejected." > > Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1551798 > > Platform coverage: all > > Estimated or target release: 69 - behind pref > > Preferences behind which this will be implemented: > - network.cookie.sameSite.laxByDefault > - network.cookie.sameSite.noneRequiresSecure (this requires the previous > one to be set to true) > > Is this feature enabled by default in sandboxed iframes? yes. > > Do other browser engines implement this? > - Chrome is implementing/experimenting this feature: > https://blog.chromium.org/2019/05/improving-privacy-and-security-on-web.html > - Safari: no signal yet. > > web-platform-tests: There is a pull-request > https://github.com/web-platform-tests/wpt/pull/16957 > Implementing this feature, I added a mochitest to inspect cookies via > CookieManager. > > Is this feature restricted to secure contexts? no <001M >HTML. Is save Thanks ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform