Re: Intent to implement and ship: same-site cookies
On 09/04/18 07:25 PM, Francois Marier wrote: > We intend to ship same-site cookies in Firefox 61. This has now been uplifted and will be shipping in Firefox 60. Status can be tracked on https://wiki.mozilla.org/Security/SameSiteCookies. Francois ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Intent to implement and ship: same-site cookies
On Mon, Apr 9, 2018 at 11:56 PM, Anne van Kesteren wrote: > We keep > > trying to find ways to limit cookies transmitted over HTTP (and > limiting HTTP in general). Offering better cookies over HTTPS seems > like a good incentive for sites to migrate. > To me "better cookies" means the __Secure- and __Host- cookie prefixes and new rules that favor keeping secure cookies over insecure ones. I'm with Mike in thinking of samesite cookies as fewer cookies, but mostly we just want to implement it according to the spec so it's compatible. -Dan Veditz ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Intent to implement and ship: same-site cookies
On Tue, Apr 10, 2018 at 4:25 AM, Francois Marier wrote: > We intend to ship same-site cookies in Firefox 61. This new cookie > attribute allows sites to prevent cross-site requests from using those > cookies which provides a mechanism for web sites to protect themselves > against Cross-Site Request Forgery (CSRF) attacks. > > Specification (cookies): > https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02 > > Tracking bug: https://bugzilla.mozilla.org/show_bug.cgi?id=795346 > > Platform coverage: all > > Gating preference: network.cookie.same-site.enabled > > Devtools support: https://bugzilla.mozilla.org/show_bug.cgi?id=1452715 For anyone interested in DevTools code-base: The bug is now labeled as good-first-bug and there are detailed instructions about how to fix it and write a test. Jan Honza Odvarko ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Intent to implement and ship: same-site cookies
On Tue, Apr 10, 2018 at 4:25 AM, Francois Marier wrote: > Secure contexts: not restricted to secure contexts since cookies are > already available in non-secure contexts I'm not entirely convinced that is a good enough reason. We keep trying to find ways to limit cookies transmitted over HTTP (and limiting HTTP in general). Offering better cookies over HTTPS seems like a good incentive for sites to migrate. -- https://annevankesteren.nl/ ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Intent to implement and ship: same-site cookies
On Tue, Apr 10, 2018 at 4:25 AM, Francois Marier wrote: > We intend to ship same-site cookies in Firefox 61. This new cookie > attribute allows sites to prevent cross-site requests from using those > cookies which provides a mechanism for web sites to protect themselves > against Cross-Site Request Forgery (CSRF) attacks. > > Specification (cookies): > https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02 > > Tracking bug: https://bugzilla.mozilla.org/show_bug.cgi?id=795346 > > Platform coverage: all > > Gating preference: network.cookie.same-site.enabled > > Devtools support: https://bugzilla.mozilla.org/show_bug.cgi?id=1452715 Excellent, and thanks for filing bug for DevTools! Jan Honza Odvarko ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Intent to implement and ship: same-site cookies
Yay! This is exciting, thank you! On Tue, Apr 10, 2018 at 4:30 AM Francois Marier wrote: > We intend to ship same-site cookies in Firefox 61. This new cookie > attribute allows sites to prevent cross-site requests from using those > cookies which provides a mechanism for web sites to protect themselves > against Cross-Site Request Forgery (CSRF) attacks. > > Specification (cookies): > https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02 > > Tracking bug: https://bugzilla.mozilla.org/show_bug.cgi?id=795346 > > Platform coverage: all > > Gating preference: network.cookie.same-site.enabled > > Devtools support: https://bugzilla.mozilla.org/show_bug.cgi?id=1452715 > > Developer documentation: > > https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#Directives > > Web Platform Tests: http://rfc6265.biz/tests/ (until > https://github.com/w3c/web-platform-tests/issues/8581 is fixed) > https://github.com/w3c/web-platform-tests/issues/2669 is actually the issue blocking `SameSite`. The issue you've referenced is blocking our port of some of the tests in https://github.com/abarth/http-state/, but not `SameSite`. There's an open PR (https://github.com/w3c/web-platform-tests/pull/10166) that I hope will land somewhat soon. Once it lands, I'd appreciate y'all's help porting the tests from https://github.com/mikewest/rfc6265-biz. I hope it'll be reasonably straightforward. > Secure contexts: not restricted to secure contexts since cookies are > already available in non-secure contexts > FWIW, I justified this to myself when Chrome shipped it by noting that this would lead to a net reduction of the number of cookies flowing over HTTP. I still think that's a reasonable stance. > Other browsers: > - Chrome shipped this feature in 51. > - Safari: https://bugs.webkit.org/show_bug.cgi?id=159464 > - Edge: https://github.com/MicrosoftEdge/Status/issues/201 > ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Intent to implement and ship: same-site cookies
We intend to ship same-site cookies in Firefox 61. This new cookie attribute allows sites to prevent cross-site requests from using those cookies which provides a mechanism for web sites to protect themselves against Cross-Site Request Forgery (CSRF) attacks. Specification (cookies): https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02 Tracking bug: https://bugzilla.mozilla.org/show_bug.cgi?id=795346 Platform coverage: all Gating preference: network.cookie.same-site.enabled Devtools support: https://bugzilla.mozilla.org/show_bug.cgi?id=1452715 Developer documentation: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#Directives Web Platform Tests: http://rfc6265.biz/tests/ (until https://github.com/w3c/web-platform-tests/issues/8581 is fixed) Secure contexts: not restricted to secure contexts since cookies are already available in non-secure contexts Other browsers: - Chrome shipped this feature in 51. - Safari: https://bugs.webkit.org/show_bug.cgi?id=159464 - Edge: https://github.com/MicrosoftEdge/Status/issues/201 Francois and Christoph ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform