Page MenuHomePhabricator

Support the WebRequest / WebResponse SameSite behavior on the JS side
Closed, ResolvedPublic

Description

Older versions of the SameSite standard specified it as a value-less keyword, equivalent to SameSite=Strict in the current standard. Some versions of some browsers did implement that, so SameSite=None might be interpreted as SameSite=Strict in some browsers, which could cause significant breakage. WebRequest and WebResponse work around that by attaching a shadow cookie to every SameSite=None cookie, and falling back to that cookie when the original is not seen. mw.cookie should have a similar logic.

Event Timeline

Tgr created this task.Jul 14 2020, 3:45 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 14 2020, 3:45 PM
Tgr claimed this task.Oct 15 2020, 8:17 AM

Change 634460 had a related patch set uploaded (by Gergő Tisza; owner: Gergő Tisza):
[mediawiki/core@master] Support the WebRequest / WebResponse SameSite behavior on the JS side

https://gerrit.wikimedia.org/r/634460

Tgr added a comment.Oct 16 2020, 7:30 AM

Note for testing: Chrome quietly ignores attempts to set a cookie from the Javascript console if it either has a secure flag or has samesite=none, and the document is on HTTP.

Change 634460 merged by jenkins-bot:
[mediawiki/core@master] Support the WebRequest / WebResponse SameSite behavior on the JS side

https://gerrit.wikimedia.org/r/634460

Etonkovidova closed this task as Resolved.Thu, Nov 19, 10:53 PM