Page MenuHomePhabricator
Create Task
Maniphest T253662

The "forceHttps" cookie is misusing the recommended “sameSite“ attribute
Closed, InvalidPublic
Actions

Description

I get this warning in Firefox's console when I visit any page on fawiki:

Some cookies are misusing the recommended “sameSite“ attribute

Cookie “forceHTTPS” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. To know more about the “sameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Cookies

Looking at the Network tab of the consol,e I see that forceHTTPS: "true" in the request cookie, and the response cookies read something like this:

forceHttps:
    domain: ".wikipedia.org"
    httpOnly: true,
    path: "/",
    value: "true"

Obviously, there are many network requests and many response cookies, so maybe I am not looking at the problematic one?

Of note, the warning is not shown always; if I keep refreshing the page, sometimes it goes away, sometimes I get it 2 times, and sometimes 3 times.

Per T158604 my impression was that we have not started using sameSite cookies yet. Apparently, we have.

Related Objects
Search...

Event Timeline

Huji created this task.May 26 2020, 4:58 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 26 2020, 4:58 PM
Tgr added a parent task: T255366: SameSite cookie issues.Jun 14 2020, 11:48 AM
Krinkle renamed this task from Some cookies are misusing the recommended “sameSite“ attribute to The "forceHttps" cookie is misusing the recommended “sameSite“ attribute.Jun 14 2020, 3:47 PM
Krinkle added a parent task: T252236: Prepare CentralAuth (e.g. login.wikimedia.org) for requirement of SameSite=None cross-site cookies in Chrome.
Nirmos subscribed.Jun 15 2020, 1:48 AM
Krinkle removed a parent task: T255366: SameSite cookie issues.Jun 16 2020, 3:28 PM
tstarling closed this task as Invalid.Jun 23 2020, 5:04 AM
tstarling subscribed.

The warning is poorly worded. The cookie does not have a SameSite attribute, so it is implicitly None. The warning is correct that there is a problem that needs to be immediately fixed. I reformulated this as T256095.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL