-
Notifications
You must be signed in to change notification settings - Fork 138
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Treat cookies as "SameSite=Lax" by default. #1325
Conversation
Can you please review, @chlily1? |
fa83cba
to
1379480
Compare
Thanks for the review! I fixed the bug you found. cc @mikewest if you also want to have a look (or merge). |
Thanks, LGTM |
Sorry, one more thing, Could you please update the non-normative section about SameSite on line 664 to note that if the SameSite attribute value is not specified or is something other than the 3 recognized keywords, it will be subject to a default enforcement mode that is equivalent to Lax? |
This looks right to me. Can you also update the changelog in the appendix with this new behavior? Happy to merge it once Lily is happy; we should then be able to spin out an -07 draft since the CfA went through (@mnot to confirm from a process perspective). |
Also update the changelog.
Note: this should land before #1323 (assuming there aren't any further changes). |
It looks like this was forgotten in #1325, when unknown values were switched from None to Default.
SameSite-Lax-by-default and SameSite=None-requires-Secure have been standardized ([1], [2]) and launched in Chromium [3] as well as Firefox [4]. The WPTs testing "legacy" behavior are no longer needed, and they are also failing on wpt.fyi [5]. This change removes the legacy-samesite virtual test suite, as well as the ?legacy-samesite variant of the tests in wpt/cookie/samesite/. The test for SameSite=None-requires-Secure also loses its "tentative" designation. Chromium will soon no longer support the configuration used in the virtual test suite, so there would be no way to run these tests anyway. [1] httpwg/http-extensions#1325 [2] httpwg/http-extensions#1323 [3] https://crrev.com/c/2231445 [4] https://hacks.mozilla.org/2020/08/changes-to-samesite-cookie-behavior/ [5] https://wpt.fyi/results/cookies/samesite?run_id=5099687737556992&run_id=5641857632567296&run_id=5678463840157696&run_id=5638004375814144 Bug: 961439, 1211388 Change-Id: Idb3c835908bcd61dde3593b4fb4f9349e738031f
SameSite-Lax-by-default and SameSite=None-requires-Secure have been standardized ([1], [2]) and launched in Chromium [3] as well as Firefox [4]. The WPTs testing "legacy" behavior are no longer needed, and they are also failing on wpt.fyi [5]. This change removes the legacy-samesite virtual test suite, as well as the ?legacy-samesite variant of the tests in wpt/cookie/samesite/. The test for SameSite=None-requires-Secure also loses its "tentative" designation. Chromium will soon no longer support the configuration used in the virtual test suite, so there would be no way to run these tests anyway. [1] httpwg/http-extensions#1325 [2] httpwg/http-extensions#1323 [3] https://crrev.com/c/2231445 [4] https://hacks.mozilla.org/2020/08/changes-to-samesite-cookie-behavior/ [5] https://wpt.fyi/results/cookies/samesite?run_id=5099687737556992&run_id=5641857632567296&run_id=5678463840157696&run_id=5638004375814144 Bug: 961439, 1211388 Change-Id: Idb3c835908bcd61dde3593b4fb4f9349e738031f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3047679 Reviewed-by: Steven Bingler <bingler@chromium.org> Commit-Queue: Lily Chen <chlily@chromium.org> Cr-Commit-Position: refs/heads/master@{#905289}
SameSite-Lax-by-default and SameSite=None-requires-Secure have been standardized ([1], [2]) and launched in Chromium [3] as well as Firefox [4]. The WPTs testing "legacy" behavior are no longer needed, and they are also failing on wpt.fyi [5]. This change removes the legacy-samesite virtual test suite, as well as the ?legacy-samesite variant of the tests in wpt/cookie/samesite/. The test for SameSite=None-requires-Secure also loses its "tentative" designation. Chromium will soon no longer support the configuration used in the virtual test suite, so there would be no way to run these tests anyway. [1] httpwg/http-extensions#1325 [2] httpwg/http-extensions#1323 [3] https://crrev.com/c/2231445 [4] https://hacks.mozilla.org/2020/08/changes-to-samesite-cookie-behavior/ [5] https://wpt.fyi/results/cookies/samesite?run_id=5099687737556992&run_id=5641857632567296&run_id=5678463840157696&run_id=5638004375814144 Bug: 961439, 1211388 Change-Id: Idb3c835908bcd61dde3593b4fb4f9349e738031f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3047679 Reviewed-by: Steven Bingler <bingler@chromium.org> Commit-Queue: Lily Chen <chlily@chromium.org> Cr-Commit-Position: refs/heads/master@{#905289}
SameSite-Lax-by-default and SameSite=None-requires-Secure have been standardized ([1], [2]) and launched in Chromium [3] as well as Firefox [4]. The WPTs testing "legacy" behavior are no longer needed, and they are also failing on wpt.fyi [5]. This change removes the legacy-samesite virtual test suite, as well as the ?legacy-samesite variant of the tests in wpt/cookie/samesite/. The test for SameSite=None-requires-Secure also loses its "tentative" designation. Chromium will soon no longer support the configuration used in the virtual test suite, so there would be no way to run these tests anyway. [1] httpwg/http-extensions#1325 [2] httpwg/http-extensions#1323 [3] https://crrev.com/c/2231445 [4] https://hacks.mozilla.org/2020/08/changes-to-samesite-cookie-behavior/ [5] https://wpt.fyi/results/cookies/samesite?run_id=5099687737556992&run_id=5641857632567296&run_id=5678463840157696&run_id=5638004375814144 Bug: 961439, 1211388 Change-Id: Idb3c835908bcd61dde3593b4fb4f9349e738031f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3047679 Reviewed-by: Steven Bingler <bingler@chromium.org> Commit-Queue: Lily Chen <chlily@chromium.org> Cr-Commit-Position: refs/heads/master@{#905289}
…s, a=testonly Automatic update from web-platform-tests Remove legacy-samesite Web Platform Tests SameSite-Lax-by-default and SameSite=None-requires-Secure have been standardized ([1], [2]) and launched in Chromium [3] as well as Firefox [4]. The WPTs testing "legacy" behavior are no longer needed, and they are also failing on wpt.fyi [5]. This change removes the legacy-samesite virtual test suite, as well as the ?legacy-samesite variant of the tests in wpt/cookie/samesite/. The test for SameSite=None-requires-Secure also loses its "tentative" designation. Chromium will soon no longer support the configuration used in the virtual test suite, so there would be no way to run these tests anyway. [1] httpwg/http-extensions#1325 [2] httpwg/http-extensions#1323 [3] https://crrev.com/c/2231445 [4] https://hacks.mozilla.org/2020/08/changes-to-samesite-cookie-behavior/ [5] https://wpt.fyi/results/cookies/samesite?run_id=5099687737556992&run_id=5641857632567296&run_id=5678463840157696&run_id=5638004375814144 Bug: 961439, 1211388 Change-Id: Idb3c835908bcd61dde3593b4fb4f9349e738031f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3047679 Reviewed-by: Steven Bingler <bingler@chromium.org> Commit-Queue: Lily Chen <chlily@chromium.org> Cr-Commit-Position: refs/heads/master@{#905289} -- wpt-commits: 939731a4f020de9afac2c4bf8c4de67eb9992e68 wpt-pr: 29758
…s, a=testonly Automatic update from web-platform-tests Remove legacy-samesite Web Platform Tests SameSite-Lax-by-default and SameSite=None-requires-Secure have been standardized ([1], [2]) and launched in Chromium [3] as well as Firefox [4]. The WPTs testing "legacy" behavior are no longer needed, and they are also failing on wpt.fyi [5]. This change removes the legacy-samesite virtual test suite, as well as the ?legacy-samesite variant of the tests in wpt/cookie/samesite/. The test for SameSite=None-requires-Secure also loses its "tentative" designation. Chromium will soon no longer support the configuration used in the virtual test suite, so there would be no way to run these tests anyway. [1] httpwg/http-extensions#1325 [2] httpwg/http-extensions#1323 [3] https://crrev.com/c/2231445 [4] https://hacks.mozilla.org/2020/08/changes-to-samesite-cookie-behavior/ [5] https://wpt.fyi/results/cookies/samesite?run_id=5099687737556992&run_id=5641857632567296&run_id=5678463840157696&run_id=5638004375814144 Bug: 961439, 1211388 Change-Id: Idb3c835908bcd61dde3593b4fb4f9349e738031f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3047679 Reviewed-by: Steven Bingler <bingler@chromium.org> Commit-Queue: Lily Chen <chlily@chromium.org> Cr-Commit-Position: refs/heads/master@{#905289} -- wpt-commits: 939731a4f020de9afac2c4bf8c4de67eb9992e68 wpt-pr: 29758
…s, a=testonly Automatic update from web-platform-tests Remove legacy-samesite Web Platform Tests SameSite-Lax-by-default and SameSite=None-requires-Secure have been standardized ([1], [2]) and launched in Chromium [3] as well as Firefox [4]. The WPTs testing "legacy" behavior are no longer needed, and they are also failing on wpt.fyi [5]. This change removes the legacy-samesite virtual test suite, as well as the ?legacy-samesite variant of the tests in wpt/cookie/samesite/. The test for SameSite=None-requires-Secure also loses its "tentative" designation. Chromium will soon no longer support the configuration used in the virtual test suite, so there would be no way to run these tests anyway. [1] httpwg/http-extensions#1325 [2] httpwg/http-extensions#1323 [3] https://crrev.com/c/2231445 [4] https://hacks.mozilla.org/2020/08/changes-to-samesite-cookie-behavior/ [5] https://wpt.fyi/results/cookies/samesite?run_id=5099687737556992&run_id=5641857632567296&run_id=5678463840157696&run_id=5638004375814144 Bug: 961439, 1211388 Change-Id: Idb3c835908bcd61dde3593b4fb4f9349e738031f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3047679 Reviewed-by: Steven Bingler <bingler@chromium.org> Commit-Queue: Lily Chen <chlily@chromium.org> Cr-Commit-Position: refs/heads/master@{#905289} -- wpt-commits: 939731a4f020de9afac2c4bf8c4de67eb9992e68 wpt-pr: 29758
…s, a=testonly Automatic update from web-platform-tests Remove legacy-samesite Web Platform Tests SameSite-Lax-by-default and SameSite=None-requires-Secure have been standardized ([1], [2]) and launched in Chromium [3] as well as Firefox [4]. The WPTs testing "legacy" behavior are no longer needed, and they are also failing on wpt.fyi [5]. This change removes the legacy-samesite virtual test suite, as well as the ?legacy-samesite variant of the tests in wpt/cookie/samesite/. The test for SameSite=None-requires-Secure also loses its "tentative" designation. Chromium will soon no longer support the configuration used in the virtual test suite, so there would be no way to run these tests anyway. [1] httpwg/http-extensions#1325 [2] httpwg/http-extensions#1323 [3] https://crrev.com/c/2231445 [4] https://hacks.mozilla.org/2020/08/changes-to-samesite-cookie-behavior/ [5] https://wpt.fyi/results/cookies/samesite?run_id=5099687737556992&run_id=5641857632567296&run_id=5678463840157696&run_id=5638004375814144 Bug: 961439, 1211388 Change-Id: Idb3c835908bcd61dde3593b4fb4f9349e738031f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3047679 Reviewed-by: Steven Bingler <bingler@chromium.org> Commit-Queue: Lily Chen <chlily@chromium.org> Cr-Commit-Position: refs/heads/master@{#905289} -- wpt-commits: 939731a4f020de9afac2c4bf8c4de67eb9992e68 wpt-pr: 29758
SameSite-Lax-by-default and SameSite=None-requires-Secure have been standardized ([1], [2]) and launched in Chromium [3] as well as Firefox [4]. The WPTs testing "legacy" behavior are no longer needed, and they are also failing on wpt.fyi [5]. This change removes the legacy-samesite virtual test suite, as well as the ?legacy-samesite variant of the tests in wpt/cookie/samesite/. The test for SameSite=None-requires-Secure also loses its "tentative" designation. Chromium will soon no longer support the configuration used in the virtual test suite, so there would be no way to run these tests anyway. [1] httpwg/http-extensions#1325 [2] httpwg/http-extensions#1323 [3] https://crrev.com/c/2231445 [4] https://hacks.mozilla.org/2020/08/changes-to-samesite-cookie-behavior/ [5] https://wpt.fyi/results/cookies/samesite?run_id=5099687737556992&run_id=5641857632567296&run_id=5678463840157696&run_id=5638004375814144 Bug: 961439, 1211388 Change-Id: Idb3c835908bcd61dde3593b4fb4f9349e738031f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3047679 Reviewed-by: Steven Bingler <bingler@chromium.org> Commit-Queue: Lily Chen <chlily@chromium.org> Cr-Commit-Position: refs/heads/master@{#905289} NOKEYCHECK=True GitOrigin-RevId: a11b13cf0fb388ee424f03814c955052856331ad
Opening for discussion, per the last interim group meeting.
This should correspond to https://tools.ietf.org/html/draft-west-cookie-incrementalism-01#section-3.1