On Wednesday, July 1, 2020 at 11:07:36 AM UTC-4, mco...@mozilla.com wrote:
> Starting with Beta 79 today, we are rolling out this change to the default 
> behavior of SameSite cookies to a small percentage of the beta population. 
> The initial target is 10%, slowly increasing to 50% by the end of the beta 
> cycle. We will hold at 50% for at least two more beta cycles, at which point 
> we will consider introducing this to a small percentage of the Firefox 
> release population. 
> 
> Known site breakage is being tracked here: 
> https://bugzilla.mozilla.org/show_bug.cgi?id=1618610 
> 
> Web developers can find more information here: 
> https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite#Fixing_common_warnings
>  
> 
> A good overview of this issue can be found here: 
> https://web.dev/samesite-cookies-explained/ 
> 
> Mike Conca 
> Group Product Manager, Firefox Web Technologies
> On Thursday, May 23, 2019 at 2:34:14 AM UTC-6, Andrea Marchesini wrote: 
> > Link to the proposal: 
> > https://tools.ietf.org/html/draft-west-cookie-incrementalism-00 
> > 
> > Summary: 
> > "1. Treat the lack of an explicit "SameSite" attribute as 
> > "SameSite=Lax". That is, the "Set-Cookie" value "key=value" will 
> > produce a cookie equivalent to "key=value; SameSite=Lax". 
> > Cookies that require cross-site delivery can explicitly opt-into 
> > such behavior by asserting "SameSite=None" when creating a 
> > cookie. 
> > 2. Require the "Secure" attribute to be set for any cookie which 
> > asserts "SameSite=None" (similar conceptually to the behavior for 
> > the "__Secure-" prefix). That is, the "Set-Cookie" value 
> > "key=value; SameSite=None; Secure" will be accepted, while 
> > "key=value; SameSite=None" will be rejected."

Mike,

I am seeing this warning now, even when I am in a first party context:

Cookie "xxx” will be soon rejected because it has the “SameSite” attribute set 
to “None” or an invalid value, without the “secure” attribute. The cookies in 
question are set in the .cfainstitute.org domain and being read only in that 
same domain. Am I to infer they are going to be rejected anyway, simply because 
they lack the "secure" attribute?  
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Reply via email to