Older versions of the SameSite standard specified it as a value-less keyword, equivalent to SameSite=Strict in the current standard. Some versions of some browsers did implement that, so SameSite=None might be interpreted as SameSite=Strict in some browsers, which could cause significant breakage. WebRequest and WebResponse work around that by attaching a shadow cookie to every SameSite=None cookie, and falling back to that cookie when the original is not seen. mw.cookie should have a similar logic.
Description
Details
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Open | None | T255366 SameSite cookie issues | |||
Resolved | DLynch | T252597 Cookie “VEE” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. | |||
Resolved | Tgr | T257936 Support the WebRequest / WebResponse SameSite behavior on the JS side |
Event Timeline
We've decided that @Tgr can work on this in mid-October, which will unblock T252597: Cookie “VEE” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute..
Change 634460 had a related patch set uploaded (by Gergő Tisza; owner: Gergő Tisza):
[mediawiki/core@master] Support the WebRequest / WebResponse SameSite behavior on the JS side
Note for testing: Chrome quietly ignores attempts to set a cookie from the Javascript console if it either has a secure flag or has samesite=none, and the document is on HTTP.
Change 634460 merged by jenkins-bot:
[mediawiki/core@master] Support the WebRequest / WebResponse SameSite behavior on the JS side
Change 674106 had a related patch set uploaded (by Alistair3149; owner: Gergő Tisza):
[mediawiki/core@REL1_35] Support the WebRequest / WebResponse SameSite behavior on the JS side
Cherry-picked to REL1_35 because it can cause significant breakage for wikis on the LTS.
Cherry-picking is probably the right thing to do, but I don't think anything actually uses it yet, so it's unlikely to cause any breakage.
Change 674106 merged by jenkins-bot:
[mediawiki/core@REL1_35] Support the WebRequest / WebResponse SameSite behavior on the JS side