Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update content of Web/HTTP/Cookies #504

Closed
irenesmith opened this issue Oct 4, 2018 · 9 comments

Comments

Projects
None yet
5 participants
@irenesmith
Copy link
Collaborator

commented Oct 4, 2018

Since the existing Web/HTTP/Cookies documentation is missing information,

could you also extend the section? You could use this blog post as the basis
for documentation (or just link to that blog post):
https://blog.mozilla.org/security/2018/04/24/same-site-cookies-in-firefox-60/

Acceptance Criteria

  • Existing documentation has been updated with information from the blog post.

@irenesmith irenesmith self-assigned this Oct 4, 2018

@Rob--W

This comment has been minimized.

Copy link

commented Oct 4, 2018

The quote is from https://bugzilla.mozilla.org/show_bug.cgi?id=1351663#c23 and specifically concerns this section: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#SameSite_cookies

When you have improved this MDN section, could you add a link to that section at https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/cookies/SameSiteStatus ? Thanks!

@irenesmith

This comment has been minimized.

Copy link
Collaborator Author

commented Nov 23, 2018

Information has been added to SameSite cookies on the HTTP cookies page as requested and a link to that section has been added to the definition of cookies.SameSiteStatus.

@Rob--W

This comment has been minimized.

Copy link

commented Nov 23, 2018

That's looking great, thanks!

I have a few more suggestions:

"SameSite cookies are still experimental and not yet supported by all browsers.". The support is actually looking quite good: https://caniuse.com/same-site-cookie-attribute

Could you add an example of setting a SameSite cookie, and state that the default behavior (i.e. if the flag is not set of not supported by the browser) is to include the cookies in any request, including cross-origin requests.

Here is an example:

Set-Cookie: key=value; samesite=strict

Lastly, on the same page, there is also a section on CSRF: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#Cross-site_request_forgery_(CSRF)

I suggest to add a bullet point referring to the SameSite section.

@chrisdavidmills

This comment has been minimized.

Copy link
Collaborator

commented Nov 29, 2018

@irenesmith did you follow up on Rob's last few comments?

@irenesmith

This comment has been minimized.

Copy link
Collaborator Author

commented Jan 10, 2019

Need to make some final changes to this so I have moved it into the current sprint (Erykah Badu) and allocated 0.5 points to the remaining work.

@irenesmith

This comment has been minimized.

Copy link
Collaborator Author

commented Jan 30, 2019

Made updates according to the above suggestions.

@Rob--W

This comment has been minimized.

Copy link

commented Jan 30, 2019

The following note has still not been changed:

SameSite cookies are still experimental and not yet supported by all browsers.

Support by recent versions of browsers is however looking good: https://caniuse.com/#feat=same-site-cookie-attribute

I found that there is another article that has the compatibility table (and a two-sentence section on SameSite): https://developer.mozilla.org/en-US/docs/Web/HTTP/headers/Set-Cookie

The compat section seems to be out of date (compared to the caniuse information) though.
Could you make the following changes?

@irenesmith

This comment has been minimized.

Copy link
Collaborator Author

commented Jan 31, 2019

Sorry, I misunderstood the first comment about the note. I thought you wanted it added. I will remove it.

I will make the other changes you list today (1/31)

@Elchi3

This comment has been minimized.

Copy link
Member

commented Feb 1, 2019

Irene, can you also follow-up on mdn/browser-compat-data#2918?

@jmswisher jmswisher closed this Mar 22, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.