Re: Intent to implement and ship: same-site cookies

Mon, 09 Apr 2018 23:00:19 -0700 

Yay! This is exciting, thank you!

On Tue, Apr 10, 2018 at 4:30 AM Francois Marier <franc...@mozilla.com>
wrote:

> We intend to ship same-site cookies in Firefox 61. This new cookie
> attribute allows sites to prevent cross-site requests from using those
> cookies which provides a mechanism for web sites to protect themselves
> against Cross-Site Request Forgery (CSRF) attacks.
>
> Specification (cookies):
> https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02
>
> Tracking bug: https://bugzilla.mozilla.org/show_bug.cgi?id=795346
>
> Platform coverage: all
>
> Gating preference: network.cookie.same-site.enabled
>
> Devtools support: https://bugzilla.mozilla.org/show_bug.cgi?id=1452715
>
> Developer documentation:
>
> https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#Directives
>
> Web Platform Tests: http://rfc6265.biz/tests/ (until
> https://github.com/w3c/web-platform-tests/issues/8581 is fixed)
>

https://github.com/w3c/web-platform-tests/issues/2669 is actually the issue
blocking `SameSite`. The issue you've referenced is blocking our port of
some of the tests in https://github.com/abarth/http-state/, but not
`SameSite`.

There's an open PR (https://github.com/w3c/web-platform-tests/pull/10166)
that I hope will land somewhat soon. Once it lands, I'd appreciate y'all's
help porting the tests from https://github.com/mikewest/rfc6265-biz. I hope
it'll be reasonably straightforward.


> Secure contexts: not restricted to secure contexts since cookies are
> already available in non-secure contexts
>

FWIW, I justified this to myself when Chrome shipped it by noting that this
would lead to a net reduction of the number of cookies flowing over HTTP. I
still think that's a reasonable stance.


> Other browsers:
> - Chrome shipped this feature in 51.
> - Safari: https://bugs.webkit.org/show_bug.cgi?id=159464
> - Edge: https://github.com/MicrosoftEdge/Status/issues/201
>
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Reply via email to