As of Firefox 96 we intend to ship “SameSite=Lax by default”, “SameSite=None only if secure” and “Schemeful SameSite” on all platforms. These features have been developed behind the following preferences: “network.cookie.sameSite.laxByDefault”, “network.cookie.sameSite.noneRequiresSecure”, and “network.cookie.sameSite.schemeful”.
Link to the proposal: https://datatracker.ietf.org/doc/html/draft-west-cookie-incrementalism-01 Summary: "1. Treat the lack of an explicit "SameSite" attribute as "SameSite=Lax". That is, the "Set-Cookie" value "key=value" will produce a cookie equivalent to "key=value; SameSite=Lax". Cookies that require cross-site delivery can explicitly opt-into such behavior by asserting "SameSite=None" when creating a cookie. 2. Require the "Secure" attribute to be set for any cookie which asserts "SameSite=None" (similar conceptually to the behavior for the "__Secure-" prefix). That is, the "Set-Cookie" value "key=value; SameSite=None; Secure" will be accepted, while "key=value; SameSite=None" will be rejected. 3. Require both the scheme and registrable domain of a request's client's "site for cookies" to match the target URL when deciding whether a given request is considered same-site. That is, a request initiated from "http://site.example"; to "https://site.example"; should be considered cross-site." Google Chrome has already shipped these features. Bug to turn on by default: https://bugzilla.mozilla.org/show_bug.cgi?id=1617609 SameSite MDN Docs: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite web-platform-tests: https://github.com/web-platform-tests/wpt/tree/master/cookies/samesite-none-secure https://github.com/web-platform-tests/wpt/tree/master/cookies/schemeful-same-site https://github.com/web-platform-tests/wpt/tree/master/cookies/samesite -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/454e63d5-17fb-45d6-a0d2-ab277d049de3n%40mozilla.org.
