On Wednesday, July 1, 2020 at 11:07:36 AM UTC-4, mco...@mozilla.com wrote:
> Starting with Beta 79 today, we are rolling out this change to the default
> behavior of SameSite cookies to a small percentage of the beta population.
> The initial target is 10%, slowly increasing to 50% by the end of the beta
> cycle. We will hold at 50% for at least two more beta cycles, at which point
> we will consider introducing this to a small percentage of the Firefox
> release population.
>
> Known site breakage is being tracked here:
> https://bugzilla.mozilla.org/show_bug.cgi?id=1618610
>
> Web developers can find more information here:
> https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite#Fixing_common_warnings
>
>
> A good overview of this issue can be found here:
> https://web.dev/samesite-cookies-explained/
>
> Mike Conca
> Group Product Manager, Firefox Web Technologies
> On Thursday, May 23, 2019 at 2:34:14 AM UTC-6, Andrea Marchesini wrote:
> > Link to the proposal:
> > https://tools.ietf.org/html/draft-west-cookie-incrementalism-00
> >
> > Summary:
> > "1. Treat the lack of an explicit "SameSite" attribute as
> > "SameSite=Lax". That is, the "Set-Cookie" value "key=value" will
> > produce a cookie equivalent to "key=value; SameSite=Lax".
> > Cookies that require cross-site delivery can explicitly opt-into
> > such behavior by asserting "SameSite=None" when creating a
> > cookie.
> > 2. Require the "Secure" attribute to be set for any cookie which
> > asserts "SameSite=None" (similar conceptually to the behavior for
> > the "__Secure-" prefix). That is, the "Set-Cookie" value
> > "key=value; SameSite=None; Secure" will be accepted, while
> > "key=value; SameSite=None" will be rejected."
To clarify, Firefox intends to roll out both SameSite=Lax as default and
require Secure for SameSite=None at the same time correct?
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
