Page MenuHomePhabricator
Create Task
Maniphest T252597

Cookie “VEE” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute.
Closed, ResolvedPublic
Actions

Description

Firefox shows me this in the console when I click Edit (with VE):

Cookie “VEE” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. To know more about the “sameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Cookies

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Use mw.cookie instead of jquery.cookiemediawiki/extensions/VisualEditormaster+5 -7
Customize query in gerrit

Related Objects
Search...

Event Timeline

kostajh created this task.May 12 2020, 8:46 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 12 2020, 8:46 PM
ppelberg added a project: Editing-team.May 12 2020, 8:53 PM
ppelberg subscribed.
matmarex subscribed.May 12 2020, 9:07 PM

The VEE cookie is used to remember the editor preference of non-logged-in users, so I guess that might stop working "soon". We should investigate "soon" but I don't think this is very urgent.

Tgr added a parent task: T255366: SameSite cookie issues.Jun 14 2020, 11:49 AM
Nirmos subscribed.Jun 15 2020, 1:48 AM
JTannerWMF moved this task from To Triage to Triaged on the VisualEditor board.Jun 16 2020, 3:42 PM
JTannerWMF edited projects, added Editing-team (Q3 2019-2020 Kanban Board); removed Editing-team.Jun 16 2020, 3:44 PM
JTannerWMF moved this task from Needs Discussion / Investigation to Upcoming on the Editing-team (Q3 2019-2020 Kanban Board) board.
Esanders subscribed.Jun 17 2020, 6:46 PM

We use $.cookie to set cookies. Sounds like this should be fixed upstream?

kostajh added a comment.Jun 17 2020, 9:07 PM

It seems like upstream is no longer maintained and they recommend switching to js-cookie. We should probably try to convert our code to use mw.cookie and then a fix could be centralized in that module?

MBinder_WMF edited projects, added Editing-team (Kanban Board); removed Editing-team (Q3 2019-2020 Kanban Board).Jul 9 2020, 4:55 PM
JTannerWMF moved this task from Inbox to Upcoming on the Editing-team (Kanban Board) board.Jul 9 2020, 4:56 PM
Tgr subscribed.Jul 14 2020, 4:08 PM

Filed T257936: Support the WebRequest / WebResponse SameSite behavior on the JS side.

ppelberg moved this task from Upcoming to Ready to Be Worked On on the Editing-team (Kanban Board) board.Jul 22 2020, 3:36 PM
gerritbot added a comment.Jul 30 2020, 4:42 PM

Change 617495 had a related patch set uploaded (by DLynch; owner: DLynch):
[mediawiki/extensions/VisualEditor@master] Use mw.cookie instead of jquery.cookie

https://gerrit.wikimedia.org/r/617495

gerritbot added a project: Patch-For-Review.Jul 30 2020, 4:42 PM
DLynch claimed this task.Jul 30 2020, 4:52 PM
DLynch moved this task from Ready to Be Worked On to Code Review on the Editing-team (Kanban Board) board.
matmarex added a comment.Jul 30 2020, 10:06 PM

Am I understanding correctly that this patch won't fix the warning until T257936 is done, but @Tgr is volunteering to work on that? ;)

DLynch added a comment.Jul 30 2020, 10:27 PM

Yeah, the patch is just a necessary-step towards removing the error. Depending on how T257936 is resolved, there may or may not be any more changes needed in VE code, I guess.

gerritbot added a comment.Jul 30 2020, 10:36 PM

Change 617495 merged by jenkins-bot:
[mediawiki/extensions/VisualEditor@master] Use mw.cookie instead of jquery.cookie

https://gerrit.wikimedia.org/r/617495

matmarex added a subtask: T257936: Support the WebRequest / WebResponse SameSite behavior on the JS side.Jul 30 2020, 10:37 PM
matmarex moved this task from Code Review to Blocked / Needs More Work on the Editing-team (Kanban Board) board.
Tgr added a comment.Jul 30 2020, 10:44 PM
In T252597#6350259, @matmarex wrote:

Am I understanding correctly that this patch won't fix the warning until T257936 is done, but @Tgr is volunteering to work on that? ;)

I can do that. rMWf8a7a1ace825: Support SameSite=None cookies intentionally did not provide a SameSite setting for all cookies, though, so presumably the JS logic would mirror that, and the calling code would have to be updated to specify SameSite=None.

ReleaseTaggerBot added a project: MW-1.36-notes (1.36.0-wmf.3; 2020-08-04).Jul 30 2020, 11:00 PM
matmarex removed a project: Patch-For-Review.Aug 5 2020, 5:38 PM
JTannerWMF added a project: Growth-Team (Sprint 0 (Growth Team)).Sep 9 2020, 4:20 PM
JTannerWMF subscribed.

Hey @Tgr how is it going with the core fix?

MMiller_WMF subscribed.Sep 14 2020, 4:53 PM
JTannerWMF added a comment.Sep 14 2020, 6:03 PM

We chat with the Growth team and determined that this will be unblocked by T257936 in mid October.

MMiller_WMF mentioned this in T257936: Support the WebRequest / WebResponse SameSite behavior on the JS side.Sep 14 2020, 6:24 PM
MMiller_WMF moved this task from Incoming to Ready for Development on the Growth-Team (Sprint 0 (Growth Team)) board.Oct 5 2020, 6:04 AM
MMiller_WMF added a project: Growth-Team-Leftovers.Oct 7 2020, 6:56 PM
MMiller_WMF removed a project: Growth-Team-Leftovers.Oct 7 2020, 7:19 PM
Tgr added a comment.Oct 16 2020, 4:31 AM

See https://www.mediawiki.org/wiki/Manual:SameSite_cookies#Browser_warnings. This error message can probably be safely ignored.

Tgr added a comment.Oct 16 2020, 4:37 AM

Filed T265703: Replace jquery.cookie with js-cookie in MediaWiki about the js-cookie issue.

MMiller_WMF removed a project: Growth-Team (Sprint 0 (Growth Team)).Oct 19 2020, 7:03 PM

Because @Tgr has a fix for the underlying issue in T257936: Support the WebRequest / WebResponse SameSite behavior on the JS side, and because he thinks that the error described on this task can be ignored, we don't think this task actually needs work. Sending it back to the Editing team to check that out.

JTannerWMF closed this task as Resolved.Oct 28 2020, 5:54 PM

If this becomes an issue it will be sitewide and noticeable, and at that time we will reopen this task. This decision was collectively made in an Editing team meeting.

Restricted Application added a project: User-Ryasmeen. · View Herald TranscriptOct 28 2020, 5:54 PM
Etonkovidova closed subtask T257936: Support the WebRequest / WebResponse SameSite behavior on the JS side as Resolved.Nov 19 2020, 10:53 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits