Hi all,
we've experienced some issues that lead us to disable these feature
through Normandy and will result in us enabling this only for
"EARLY_BETA_OR_EARLIER".
We will keep the list updated once we have a plan and a timeline.
Thanks,
Freddy
On 15.12.21 17:54, Niklas Gögge wrote:
Hi, everyone!
Here is a quick update to clear up the uncertainty and confusion.
In the past two weeks we have taken a look at the SameSite cookie WPTs
that Firefox was failing, investigated the breakages that were reported
to us and also had QA testing done to ensure there are no breakages on
any major sites.
With renewed confidence, we have reached the conclusion that we will
still ship in Firefox 96.
- Niklas
On Tuesday, November 30, 2021 at 8:24:13 PM UTC+1 Dragana Damjanovic wrote:
Hi,
I would prefer that all breakages reported so far are resolved or
otherwise explained before this hits the late Beta. Some of these
bugs were reported as late as last month.
Can we have a checkpoint before this hits the late Beta? An internal
email would be enough.
Please close bugs that are not reproducible or write a comment that
explains your investigation. I would expect that all breakage bugs
are closed before shipping.
dragana
On Tue, Nov 30, 2021 at 6:47 PM Niklas Gögge <[email protected]
<mailto:[email protected]>> wrote:
Hi Dragana and Valentin, We are fairly confident that we won't
face major breakages when released given that: - We have had
these features enabled on Nightly for over a year. - We will
have them on Beta soon. - Google Chrome has shipped them over a
year ago. That being said, there can of course still be bugs and
we have been going through the breakages listed in
https://bugzilla.mozilla.org/show_bug.cgi?id=1618610
<https://bugzilla.mozilla.org/show_bug.cgi?id=1618610>. So far
all the breakages we got to were no longer reproducible and we
will continue to verify the rest. Thanks for pointing out the
WPT failures, we will make sure to investigate those. Should we
get a significant amount of breakage reports in Beta we will
delay the shipping.
On Tuesday, November 30, 2021 at 3:34:28 PM UTC+1
[email protected] <mailto:[email protected]> wrote:
There are also a number of sameSite web platform tests that
are currently marked as failing.
Before shipping this we should at least try to fix those
which pass in other browsers.
https://wpt.fyi/results/cookies?label=experimental&label=master&aligned
<https://wpt.fyi/results/cookies?label=experimental&label=master&aligned>
On Tue, 30 Nov 2021 at 15:28, Dragana Damjanovic
<[email protected] <mailto:[email protected]>>
wrote:
Hi,
I have a question about the bugs linked to:
https://bugzilla.mozilla.org/show_bug.cgi?id=1618610
<https://bugzilla.mozilla.org/show_bug.cgi?id=1618610>
and also
https://bugzilla.mozilla.org/show_bug.cgi?id=1651119
<https://bugzilla.mozilla.org/show_bug.cgi?id=1651119>
There are some webcompat issues linked as well.
Are we confident that these issues are fixed?Can we
close them? I would prefer a comment in them saying what
is the status, or do we have a doc that analyzes these
issues?
Do these issues reproduce in Chrome or are they Firefox
specific? In the latter case that would be a bug in our
code.
dragana
On Tue, Nov 30, 2021 at 1:45 PM Niklas Gögge
<[email protected] <mailto:[email protected]>> wrote:
As of Firefox 96 we intend to ship “SameSite=Lax by
default”, “SameSite=None only if secure” and
“Schemeful SameSite” on all platforms. These
features have been developed behind the following
preferences: “network.cookie.sameSite.laxByDefault”,
“network.cookie.sameSite.noneRequiresSecure”, and
“network.cookie.sameSite.schemeful”.
Link to the proposal:
https://datatracker.ietf.org/doc/html/draft-west-cookie-incrementalism-01
<https://datatracker.ietf.org/doc/html/draft-west-cookie-incrementalism-01>
Summary:
"1. Treat the lack of an explicit "SameSite"
attribute as
"SameSite=Lax". That is, the "Set-Cookie"
value "key=value" will
produce a cookie equivalent to "key=value;
SameSite=Lax".
Cookies that require cross-site delivery can
explicitly opt-into
such behavior by asserting "SameSite=None"
when creating a
cookie.
2. Require the "Secure" attribute to be set for
any cookie which
asserts "SameSite=None" (similar
conceptually to the behavior for
the "__Secure-" prefix). That is, the
"Set-Cookie" value
"key=value; SameSite=None; Secure" will be
accepted, while
"key=value; SameSite=None" will be rejected.
3. Require both the scheme and registrable
domain of a request's
client's "site for cookies" to match the
target URL when deciding
whether a given request is considered
same-site. That is, a
request initiated from "http://site.example
<http://site.example>" to
"https://site.example
<https://site.example>" should be considered
cross-site."
Google Chrome has already shipped these features.
Bug to turn on by default:
https://bugzilla.mozilla.org/show_bug.cgi?id=1617609
<https://bugzilla.mozilla.org/show_bug.cgi?id=1617609>
SameSite MDN Docs:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
<https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite>
web-platform-tests:
https://github.com/web-platform-tests/wpt/tree/master/cookies/samesite-none-secure
<https://github.com/web-platform-tests/wpt/tree/master/cookies/samesite-none-secure>
https://github.com/web-platform-tests/wpt/tree/master/cookies/schemeful-same-site
<https://github.com/web-platform-tests/wpt/tree/master/cookies/schemeful-same-site>
https://github.com/web-platform-tests/wpt/tree/master/cookies/samesite
<https://github.com/web-platform-tests/wpt/tree/master/cookies/samesite>
--
You received this message because you are subscribed
to the Google Groups "[email protected]
<mailto:[email protected]>" group.
To unsubscribe from this group and stop receiving
emails from it, send an email to
[email protected]
<mailto:[email protected]>.
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/454e63d5-17fb-45d6-a0d2-ab277d049de3n%40mozilla.org
<https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/454e63d5-17fb-45d6-a0d2-ab277d049de3n%40mozilla.org?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to
the Google Groups "[email protected]
<mailto:[email protected]>" group.
To unsubscribe from this group and stop receiving emails
from it, send an email to
[email protected]
<mailto:[email protected]>.
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CACOB9hDHfAEj%3DpziqMmSK9GPzOwbsBb0yMLXEZ_OoGJdk1LayA%40mail.gmail.com
<https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CACOB9hDHfAEj%3DpziqMmSK9GPzOwbsBb0yMLXEZ_OoGJdk1LayA%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google
Groups "[email protected]" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected]
<mailto:[email protected]>.
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/9d382272-cecb-4cb3-b02f-f442c1dc32f4n%40mozilla.org
<https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/9d382272-cecb-4cb3-b02f-f442c1dc32f4n%40mozilla.org?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"[email protected]" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/18574068-1b05-21fc-14df-4834219baf49%40mozilla.com.
