Page MenuHomePhabricator
Create Task
Maniphest T257936

Support the WebRequest / WebResponse SameSite behavior on the JS side
Closed, ResolvedPublic
Actions

Description

Older versions of the SameSite standard specified it as a value-less keyword, equivalent to SameSite=Strict in the current standard. Some versions of some browsers did implement that, so SameSite=None might be interpreted as SameSite=Strict in some browsers, which could cause significant breakage. WebRequest and WebResponse work around that by attaching a shadow cookie to every SameSite=None cookie, and falling back to that cookie when the original is not seen. mw.cookie should have a similar logic.

Details

SubjectRepoBranchLines +/-
Support the WebRequest / WebResponse SameSite behavior on the JS sidemediawiki/coreREL1_35+108 -7
Support the WebRequest / WebResponse SameSite behavior on the JS sidemediawiki/coremaster+108 -7
Customize query in gerrit

Related Objects
Search...

Event Timeline

Tgr created this task.Jul 14 2020, 3:45 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 14 2020, 3:45 PM
Tgr added a parent task: T255366: SameSite cookie issues.Jul 14 2020, 3:45 PM
Tgr mentioned this in T236850: Test out Fundraising-related cookies with SameSite/Secure cookie behaviour in Chrome 80 simulation.
Tgr mentioned this in T252597: Cookie “VEE” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute..Jul 14 2020, 4:08 PM
Tgr mentioned this in T255357: Cookie “UploadForm” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute..Jul 17 2020, 9:09 PM
mdaniels5757 subscribed.Jul 24 2020, 4:55 PM
matmarex added a parent task: T252597: Cookie “VEE” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute..Jul 30 2020, 10:37 PM
MMiller_WMF subscribed.Sep 14 2020, 4:53 PM
MMiller_WMF added a comment.Sep 14 2020, 6:24 PM

We've decided that @Tgr can work on this in mid-October, which will unblock T252597: Cookie “VEE” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute..

MMiller_WMF added projects: Growth-Team (Sprint 0 (Growth Team)), Growth-Team-Leftovers.Oct 7 2020, 7:19 PM
MMiller_WMF moved this task from Incoming to Ready for Development on the Growth-Team (Sprint 0 (Growth Team)) board.Oct 8 2020, 4:56 AM
Tgr claimed this task.Oct 15 2020, 8:17 AM
Tgr moved this task from Ready for Development to In Progress on the Growth-Team (Sprint 0 (Growth Team)) board.
gerritbot added a comment.Oct 16 2020, 7:20 AM

Change 634460 had a related patch set uploaded (by Gergő Tisza; owner: Gergő Tisza):
[mediawiki/core@master] Support the WebRequest / WebResponse SameSite behavior on the JS side

https://gerrit.wikimedia.org/r/634460

gerritbot added a project: Patch-For-Review.Oct 16 2020, 7:20 AM
Tgr added a comment.Oct 16 2020, 7:30 AM

Note for testing: Chrome quietly ignores attempts to set a cookie from the Javascript console if it either has a secure flag or has samesite=none, and the document is on HTTP.

Tgr moved this task from In Progress to Code Review on the Growth-Team (Sprint 0 (Growth Team)) board.Oct 16 2020, 9:18 AM
Catrope moved this task from Code Review to QA on the Growth-Team (Sprint 0 (Growth Team)) board.Nov 10 2020, 2:46 AM
gerritbot added a comment.Nov 10 2020, 3:08 AM

Change 634460 merged by jenkins-bot:
[mediawiki/core@master] Support the WebRequest / WebResponse SameSite behavior on the JS side

https://gerrit.wikimedia.org/r/634460

Maintenance_bot removed a project: Patch-For-Review.Nov 10 2020, 3:10 AM
ReleaseTaggerBot added a project: MW-1.36-notes (1.36.0-wmf.18; 2020-11-17).Nov 10 2020, 4:00 AM
Etonkovidova closed this task as Resolved.Nov 19 2020, 10:53 PM
gerritbot added a comment.Mar 22 2021, 5:36 PM

Change 674106 had a related patch set uploaded (by Alistair3149; owner: Gergő Tisza):
[mediawiki/core@REL1_35] Support the WebRequest / WebResponse SameSite behavior on the JS side

https://gerrit.wikimedia.org/r/674106

gerritbot added a project: Patch-For-Review.Mar 22 2021, 5:36 PM
alistair3149 subscribed.Mar 22 2021, 5:38 PM
In T257936#6935555, @gerritbot wrote:

Change 674106 had a related patch set uploaded (by Alistair3149; owner: Gergő Tisza):
[mediawiki/core@REL1_35] Support the WebRequest / WebResponse SameSite behavior on the JS side

https://gerrit.wikimedia.org/r/674106

Cherry-picked to REL1_35 because it can cause significant breakage for wikis on the LTS.

alistair3149 added a project: MW-1.35-release.Mar 22 2021, 5:40 PM
Tgr added a comment.Mar 23 2021, 8:58 PM

Cherry-picking is probably the right thing to do, but I don't think anything actually uses it yet, so it's unlikely to cause any breakage.

gerritbot added a comment.Mar 24 2021, 12:26 AM

Change 674106 merged by jenkins-bot:
[mediawiki/core@REL1_35] Support the WebRequest / WebResponse SameSite behavior on the JS side

https://gerrit.wikimedia.org/r/674106

ReleaseTaggerBot added a project: MW-1.35-notes.Mar 24 2021, 1:00 AM
Maintenance_bot removed a project: Patch-For-Review.Mar 24 2021, 1:10 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL