Page MenuHomePhabricator
Create Task
Maniphest T261093

The “mwext-jsbreadcrumbs” cookie will be rejected in the future
Closed, ResolvedPublic
Actions

Description

Setup

  • MediaWiki 1.35.0-rc.2 (37ef236) 17:21, 22 August 2020
  • PHP 7.2.24-0ubuntu0.18.04.6 (apache2handler)
  • MariaDB 10.1.44-MariaDB-0ubuntu0.18.04.1
  • JSBreadCrumbs 1.0.3 (4cbd644) 13:49, 13 July 2020

Issue
I guess this message was prevented from showing up due to the T261065 issue. After checking out the patch it appears to be visible. Creating a new issue to keep these apart.

Das Cookie “mwext-jsbreadcrumbs” wird in Zukunft bald abgelehnt werden, da es für das Attribut "sameSite" entweder "none" oder einen ungültigen Wert angibt, ohne das "secure"-Attribut zu verwenden. Weitere Informationen zum "sameSite"-Attribut finden Sie unter https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

Quick translation:

The “mwext-jsbreadcrumbs” cookie will be rejected in the future, since it uses for attribut "sameSite" either the value "none" or nothing whichout specifying a "secure" attribut. More information at https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

@cicalese FYI

Details

SubjectRepoBranchLines +/-
Add Secure and SameSite to the cookiemediawiki/extensions/JSBreadCrumbsREL1_40+1 -1
Add Secure and SameSite to the cookiemediawiki/extensions/JSBreadCrumbsREL1_39+1 -1
Add Secure and SameSite to the cookiemediawiki/extensions/JSBreadCrumbsmaster+1 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

Kghbln created this task.Aug 24 2020, 7:33 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 24 2020, 7:33 AM
Kghbln updated the task description. (Show Details)Aug 24 2020, 7:34 AM
cicalese added a project: User-Cicalese.Sep 3 2020, 6:20 PM

Thanks for the heads up!

cicalese moved this task from Inbox to Issue on the User-Cicalese board.Sep 3 2020, 6:20 PM
gerritbot added a comment.Mar 19 2022, 3:01 PM

Change 771992 had a related patch set uploaded (by Seb35; author: Seb35):

[mediawiki/extensions/JSBreadCrumbs@master] Add Secure and SameSite to the cookie

https://gerrit.wikimedia.org/r/771992

gerritbot added a project: Patch-For-Review.Mar 19 2022, 3:01 PM
Seb35 subscribed.Mar 19 2022, 3:10 PM

I propose this patch, adding Secure and SameSite="Strict". For https websites, the Secure attribute is sufficient, but SameSite="Strict" is useful for http websites.

I hesited with SameSite="Lax" since JSBreadCrumbs can display the pages from other wikis in the same domain (like Wikipedia with wikis in *.wikipedia.org), but "Lax" is not needed since this feature works with SameSite="Strict" when the cookie is set with domain: ".my-top-level-domain.com". It is not included in this patch but it could be a separate task.

Seb35 added a parent task: T255366: SameSite cookie issues.Jul 22 2022, 1:58 PM
Tgr subscribed.Jul 22 2022, 7:38 PM

See https://www.mediawiki.org/wiki/Manual:SameSite_cookies#Browser_warnings.

gerritbot added a comment.Jun 18 2023, 1:04 PM

Change 771992 merged by jenkins-bot:

[mediawiki/extensions/JSBreadCrumbs@master] Add Secure and SameSite to the cookie

https://gerrit.wikimedia.org/r/771992

gerritbot added a comment.Jun 18 2023, 1:07 PM

Change 930913 had a related patch set uploaded (by Cicalese; author: Seb35):

[mediawiki/extensions/JSBreadCrumbs@REL1_39] Add Secure and SameSite to the cookie

https://gerrit.wikimedia.org/r/930913

gerritbot added a comment.Jun 18 2023, 1:07 PM

Change 930914 had a related patch set uploaded (by Cicalese; author: Seb35):

[mediawiki/extensions/JSBreadCrumbs@REL1_40] Add Secure and SameSite to the cookie

https://gerrit.wikimedia.org/r/930914

CCicalese_WMF mentioned this in rEJSB8986a8a4bd1c: Add Secure and SameSite to the cookie.Jun 18 2023, 1:10 PM
gerritbot added a comment.Jun 18 2023, 1:11 PM

Change 930913 merged by jenkins-bot:

[mediawiki/extensions/JSBreadCrumbs@REL1_39] Add Secure and SameSite to the cookie

https://gerrit.wikimedia.org/r/930913

CCicalese_WMF mentioned this in rEJSB03b20907d049: Add Secure and SameSite to the cookie.Jun 18 2023, 1:11 PM
gerritbot added a comment.Jun 18 2023, 1:11 PM

Change 930914 merged by jenkins-bot:

[mediawiki/extensions/JSBreadCrumbs@REL1_40] Add Secure and SameSite to the cookie

https://gerrit.wikimedia.org/r/930914

CCicalese_WMF mentioned this in rEJSB98d456c032aa: Add Secure and SameSite to the cookie.Jun 18 2023, 1:11 PM
cicalese closed this task as Resolved.Jun 18 2023, 1:14 PM
cicalese claimed this task.
Maintenance_bot removed a project: Patch-For-Review.Jun 18 2023, 1:30 PM
cicalese moved this task from Issue to Closed on the User-Cicalese board.Jul 16 2023, 4:43 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL