Page MenuHomePhabricator
Create Task
Maniphest T255366

SameSite cookie issues
Open, Needs TriagePublic
Actions

Description

This is a tracking task for grouping issues related to the SameSite cookie flag.

SameSite=Strict prevents access to the cookie unless the request originates from the same domain. SameSite=Lax is similar but exempts top-level GET requests (such as loading a new page by clicking on a link). SameSite=None is the traditional behavior (no restrictions) which used to be the default, but modern browsers are increasingly defaulting to SameSite=Lax, and also starting to ignore SameSite=None when the cookie is not set with the Secure flag (and over HTTPS). Some older browsers OTOH interpret any value as Strict. (details, details)

"Same domain" also means same scheme; this might impact mixed-protocol non-Wikimedia sites and leftover HTTP links on Wikimedia sites.

Both Firefox and Chrome do (did?) default to None for top-level requests when the cookie is less than two-minutes old. (source).

Spec:

Testing:

  • current browser behavior: https://samesite-sandbox.glitch.me/ - with the new SameSite behavior, it should be all green.
  • Chrome: override with same-site-by-default-cookies and cookies-without-same-site-must-be-secure
  • Firefox: override with network.cookie.sameSite.laxByDefault and network.cookie.sameSite.noneRequiresSecure

Related Objects
Search...

StatusSubtypeAssignedTask
 OpenNoneT255366 SameSite cookie issues
 InvalidNoneT255357 Cookie “UploadForm” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute.
 ResolvedtstarlingT252236 Prepare CentralAuth (e.g. login.wikimedia.org) for requirement of SameSite=None cross-site cookies in Chrome
 DuplicateNoneT158604 Investigate usefulness of SameSite cookies for logged-in accounts
 InvalidNoneT202028 CentralAuth fails when using "site isolation" in Google Chrome and Chromium or "first-party isolation" in Firefox
 InvalidNoneT253662 The "forceHttps" cookie is misusing the recommended “sameSite“ attribute
 ResolvedKrinkleT256095 Stop sending the forceHTTPS cookie, make the HTTPS redirect unconditional
 ResolvedDLynchT252597 Cookie “VEE” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute.
 ResolvedTgrT257936 Support the WebRequest / WebResponse SameSite behavior on the JS side
 OpenNoneT236850 Test out Fundraising-related cookies with SameSite/Secure cookie behaviour in Chrome 80 simulation
 ResolvedReedyT257802 Backport SameSite fixes to all supported MediaWiki branches
 OpenBUG REPORTNoneT257517 Cookie mw-tour will be soon rejected because it has the “sameSite” attribute set to “none”, without the “secure” attribute.
 DeclinedNoneT258121 Logging in to a wiki sometimes fails with 'sessionfailure' error (coinciding with SameSite rollout)
 DeclinedNoneT257853 CentralAuth edge login broken on desktop (coinciding with SameSite rollout)
 OpenBUG REPORTNoneT277904 Can't properly dismiss Sitenotice in Firefox
 DeclinedBUG REPORTNoneT288660 SessionLength cookie triggers warnings about SameSite attribute
 OpenNoneT282746 Update or delete DI's cookie probe
 ResolvedcicaleseT261093 The “mwext-jsbreadcrumbs” cookie will be rejected in the future
 InvalidBUG REPORTNoneT345032 Some cookies are misusing the recommended “SameSite“ attribute
 OpenNoneT342626 '<wiki-id>wmE-sessionTickLastTick*' cookies not setting samesite attribute
Restricted Task
 OpenCDanisT342624 NetworkProbeLimit cookie should set samesite attribute
 ResolvedtstarlingT344791 Get rid of ss0- SameSite cookie prefix hack

Event Timeline

Tgr created this task.Jun 14 2020, 11:46 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 14 2020, 11:46 AM
Tgr added a subtask: T255357: Cookie “UploadForm” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute..Jun 14 2020, 11:47 AM
Tgr added a subtask: T253662: The "forceHttps" cookie is misusing the recommended “sameSite“ attribute.
Tgr added a subtask: T252236: Prepare CentralAuth (e.g. login.wikimedia.org) for requirement of SameSite=None cross-site cookies in Chrome.
Tgr added a subtask: T252597: Cookie “VEE” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute..
Tgr added a subtask: T236850: Test out Fundraising-related cookies with SameSite/Secure cookie behaviour in Chrome 80 simulation.
Nirmos subscribed.Jun 15 2020, 1:41 AM
Krinkle removed a subtask: T253662: The "forceHttps" cookie is misusing the recommended “sameSite“ attribute.Jun 16 2020, 3:28 PM
JohanahoJ subscribed.Jun 17 2020, 11:01 AM
Wiki13 subscribed.Jun 17 2020, 8:06 PM
tstarling added a subtask: T256095: Stop sending the forceHTTPS cookie, make the HTTPS redirect unconditional.Jun 23 2020, 4:59 AM
Tgr added a subtask: T257802: Backport SameSite fixes to all supported MediaWiki branches.Jul 13 2020, 10:37 AM
Krinkle closed subtask T256095: Stop sending the forceHTTPS cookie, make the HTTPS redirect unconditional as Resolved.Jul 14 2020, 2:37 PM
Krinkle closed subtask T252236: Prepare CentralAuth (e.g. login.wikimedia.org) for requirement of SameSite=None cross-site cookies in Chrome as Resolved.
Tgr added a subtask: T257936: Support the WebRequest / WebResponse SameSite behavior on the JS side.Jul 14 2020, 3:45 PM
AntiCompositeNumber closed subtask T255357: Cookie “UploadForm” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. as Invalid.Jul 17 2020, 5:14 PM
Reedy closed subtask T257802: Backport SameSite fixes to all supported MediaWiki branches as Resolved.Jul 23 2020, 11:36 PM
mdaniels5757 subscribed.Jul 24 2020, 4:55 PM
Aklapper added a subtask: T257517: Cookie mw-tour will be soon rejected because it has the “sameSite” attribute set to “none”, without the “secure” attribute..Jul 27 2020, 5:04 AM
Tgr added a subtask: T258121: Logging in to a wiki sometimes fails with 'sessionfailure' error (coinciding with SameSite rollout).Aug 1 2020, 12:25 PM
Tgr added a subtask: T257853: CentralAuth edge login broken on desktop (coinciding with SameSite rollout).
Tgr updated the task description. (Show Details)Aug 9 2020, 9:25 AM
JTannerWMF closed subtask T252597: Cookie “VEE” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. as Resolved.Oct 28 2020, 5:54 PM
Etonkovidova closed subtask T257936: Support the WebRequest / WebResponse SameSite behavior on the JS side as Resolved.Nov 19 2020, 10:53 PM
AntiCompositeNumber added a subtask: T277904: Can't properly dismiss Sitenotice in Firefox.Mar 20 2021, 8:14 PM
Mholloway added a subtask: T288660: SessionLength cookie triggers warnings about SameSite attribute.Aug 12 2021, 2:03 PM
EChetty closed subtask T288660: SessionLength cookie triggers warnings about SameSite attribute as Declined.Apr 5 2022, 12:27 PM
Nemo_bis mentioned this in T244699: EPIC: Find alternative to Special:HideBanners cookies to mitigate the loss of 3rd-party cookie support.Jun 14 2022, 2:06 PM
Nemo_bis mentioned this in T262996: Don't set cookies in traffic layer for non-user facing domains (avoid false third-party cookie warning).Jun 14 2022, 2:10 PM
Nemo_bis added a subtask: T282746: Update or delete DI's cookie probe.
Nemo_bis subscribed.Jun 14 2022, 2:14 PM

Does this announcement mean that SameSite issues will become much more widespread starting today?

Firefox rolls out Total Cookie Protection by default to all users worldwide
Starting today, Firefox is rolling out Total Cookie Protection by default to all Firefox users worldwide [...]
Total Cookie Protection works by creating a separate “cookie jar” for each website you visit. Instead of allowing trackers to link up your behavior on multiple sites, they just get to see behavior on individual sites.

https://blog.mozilla.org/en/products/firefox/firefox-rolls-out-total-cookie-protection-by-default-to-all-users-worldwide/

Some of the depending bugs are quite significant, for instance T277904 . If the sitenotice cannot be dismissed any more, wikis should probably be advised to stop using it until the bug is solved. Generally speaking, some testing and communication is likely needed here.

Seb35 added a subtask: T261093: The “mwext-jsbreadcrumbs” cookie will be rejected in the future.Jul 22 2022, 1:58 PM
Tgr updated the task description. (Show Details)Jul 22 2022, 7:11 PM
Tgr updated the task description. (Show Details)Jul 22 2022, 7:27 PM
Tgr updated the task description. (Show Details)Jul 22 2022, 7:30 PM
Tgr added a comment.Jul 22 2022, 7:37 PM
In T255366#8002657, @Nemo_bis wrote:

Does [the Total Cookie Protection] announcement mean that SameSite issues will become much more widespread starting today?

The more technical spec for this is State Partitioning. It will probably cause similar issues (note that the current version of the spec talks about sites "having the same registrable domain", so e.g. en.wikipedia.org and de.wikipedia.org would be considered same-site; but login.wikimedia.org not), but it's only enabled for private browsing or when Enhanced Tracking Protection is manually set to strict mode (which warns that "may cause some sites or content to break"), which given the low market share of Firefox, means it will effect a fairly small part of the audience.

That said, what they call Network Partitioning is enabled for everyone, and might have performance implications - details are scarce, but it seems to suggest e.g. DNS cache and HTTP cache would be split by referrer domain.

Base subscribed.Oct 21 2022, 11:47 PM

which given the low market share of Firefox, means it will effect a fairly small part of the audience.

Well, IE11 has even smaller share I think, but because of supporting it we were/are stuck with some pre-historic ECMAScript.

cicalese closed subtask T261093: The “mwext-jsbreadcrumbs” cookie will be rejected in the future as Resolved.Jun 18 2023, 1:14 PM
Snaevar added a subtask: T345032: Some cookies are misusing the recommended “SameSite“ attribute.Aug 27 2023, 8:32 AM
Tgr mentioned this in T345245: Mitigate phase-out of third-party cookies across MediaWiki in production.Aug 30 2023, 12:29 PM
Tgr mentioned this in T345249: Mitigate phase-out of third-party cookies in CentralAuth.Oct 7 2023, 6:57 PM
matmarex closed subtask T258121: Logging in to a wiki sometimes fails with 'sessionfailure' error (coinciding with SameSite rollout) as Declined.Nov 28 2023, 10:13 PM
matmarex closed subtask T257853: CentralAuth edge login broken on desktop (coinciding with SameSite rollout) as Declined.
mdaniels5757 unsubscribed.Dec 1 2023, 6:20 PM
Reedy added a subtask: T342626: '<wiki-id>wmE-sessionTickLastTick*' cookies not setting samesite attribute.Dec 18 2023, 3:28 PM
Reedy added a subtask: Restricted Task.
Tgr added a subtask: T342624: NetworkProbeLimit cookie should set samesite attribute.Jan 9 2024, 8:49 PM
Tgr added a subtask: T344791: Get rid of ss0- SameSite cookie prefix hack.
Tgr closed subtask T345032: Some cookies are misusing the recommended “SameSite“ attribute as Invalid.Jan 9 2024, 8:53 PM
tstarling closed subtask T344791: Get rid of ss0- SameSite cookie prefix hack as Resolved.Feb 15 2024, 10:45 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL