Page MenuHomePhabricator
Create Task
Maniphest T375256

Cookie % has been rejected because it is foreign and does not have the "Partitioned" attribute
Open, HighPublic
Actions

Description

In Firefox, I see these errors in the console while navigating to any WMF wiki:

Cookie “WMF-Last-Access” has been rejected because it is foreign and does not have the “Partitioned“ attribute. index.php
Cookie “WMF-Last-Access-Global” has been rejected because it is foreign and does not have the “Partitioned“ attribute. index.php
Cookie “GeoIP” has been rejected because it is foreign and does not have the “Partitioned“ attribute. index.php
Cookie “NetworkProbeLimit” has been rejected because it is in a cross-site context and its “SameSite” is “Lax” or “Strict”.

This seems like something to deal with in T345249: Mitigate phase-out of third-party cookies in CentralAuth, see https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning

Related Objects
Search...

Event Timeline

kostajh created this task.Sep 20 2024, 8:27 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 20 2024, 8:27 AM
Tgr added a comment.Sep 21 2024, 8:34 AM

No, it's related to the parent task (T345245: Mitigate phase-out of third-party cookies in Wikimedia production). Although technically it's not even MediaWiki, these specific cookies are handled by Varnish I think.

Tgr added a parent task: T345245: Mitigate phase-out of third-party cookies in Wikimedia production.Sep 25 2024, 1:24 PM
Tgr edited projects, added Data-Engineering, Traffic; removed MediaWiki-extensions-CentralAuth, MediaWiki-Platform-Team.Sep 25 2024, 1:30 PM

This only affects cookies on cross-domain requests. Not sure if that's a problem. The logspam can be prevented by setting the Partitioned cookie attribute, as the message suggests. Currently the cookies are blocked (ie. the browser does not send them on cross-domain requests); if they are partitioned, the browser will create a separate cookie jar (corresponding to the (document domain, cookie domain) tuple) and use that for cross-domain requests from the given document domain. (Which might be even worse for analytics?)

Tgr mentioned this in T261803: Requests for /static get an invalid WMF-Last-Access cookie for wikipedia.org on non-Wikipedia requests.Oct 1 2024, 6:32 PM
Ottomata added a project: Test Kitchen.Oct 23 2024, 8:53 PM
Ottomata removed a project: Data-Engineering.
Ottomata added subscribers: Milimetric, Ottomata.

cc @Milimetric should we follow upon this?

Ottomata added a subscriber: mforns.Oct 23 2024, 8:54 PM
phuedx triaged this task as Unbreak Now! priority.EditedOct 24 2024, 2:24 PM
phuedx added subscribers: VirginiaPoundstone, phuedx.

Raised this to Unbreak Now! because this is likely affecting unique devices reporting due to the WMF-Last-Access cookies being rejected /cc @VirginiaPoundstone

phuedx edited projects, added Test Kitchen (Data Products (Data Products Sprint 21 🪂)); removed Test Kitchen.Oct 24 2024, 2:26 PM

@mforns to confirm whether this is indeed impacting unique devices reporting.

BBlack subscribed.Oct 24 2024, 2:35 PM

Seems like all of these Varnish-level cookies mentioned at the top should at least gain appropriate, explicit SameSite= attributes, in addition to perhaps Partitioned as appropriate (only NetworkProbeLimit currently carries a SameSite attribute at all).

BBlack added a comment.Oct 24 2024, 4:48 PM

Do we have a specific example of a URL and which cookies triggered the rejections? In my own quick repro attempt, I only saw them failing on actually cross-domain traffic (in my case, an enwiki page was loading Math SVG content from https://wikimedia.org/api/..., and it was the cookies coming with that response that were rejected).

Tgr added a comment.Oct 25 2024, 11:00 AM
In T375256#10259757, @BBlack wrote:

I only saw them failing on actually cross-domain traffic

That's expected. I haven't tested but pretty sure browsers don't block or partition same-domain cookies.
(Probably not even same-site cookies, ie. the registrable domain has to be different.)

Not sure if this affects anything. Without the SameSite=None and Partitioned attributes, the browser will refuse to send the cookie on an AJAX request, Varnish will see there is no cookie, and will try to set one... not sure but I think that would also fail? If it succeeds that could mess up analytics.

(With Partitioned, there will be different cookies for every registrable domain the AJAX request is made from, which messes up analytics even more. Probably the best thing to do is to not set or read cookies on cross-origin requests.)

BBlack added a comment.Oct 25 2024, 2:21 PM

I don't think it's necessarily always up to us to be able to know it's cross-origin, though, right? It would depend on the $random_other_site's CORS whether they tell us about a referrer at all?

Tgr added a comment.Oct 25 2024, 2:31 PM

I think all the browsers that do third-party cookie blocking also set Sec-Fetch-Site: cross-site on cross-site requests.

BBlack added a comment.Oct 25 2024, 2:37 PM

Ah interesting! We should confirm that and perhaps avoid the set-cookie entirely on cookies that are (or at least are intended to be) ~ SameSite=Lax|Strict then, I guess?

phuedx moved this task from Sprint Backlog to Radar on the Test Kitchen (Data Products (Data Products Sprint 21 🪂)) board.Oct 28 2024, 2:36 PM
Milimetric edited projects, added Test Kitchen (Data Products Sprint 22); removed Test Kitchen (Data Products (Data Products Sprint 21 🪂)).Nov 7 2024, 7:08 PM
Milimetric moved this task from Sprint Backlog to Radar on the Test Kitchen (Data Products Sprint 22) board.
Milimetric edited projects, added Test Kitchen (Data Products Sprint 23); removed Test Kitchen (Data Products Sprint 22).Dec 2 2024, 3:09 PM
Milimetric moved this task from Sprint Backlog to Radar on the Test Kitchen (Data Products Sprint 23) board.
Milimetric edited projects, added Test Kitchen; removed Test Kitchen (Data Products Sprint 23).Dec 19 2024, 5:41 PM
Milimetric moved this task from Data Products Sprint 23 to NEEDS DISCUSSION on the Test Kitchen board.
VirginiaPoundstone moved this task from NEEDS DISCUSSION to NEEDS ESTIMATION on the Test Kitchen board.Jan 6 2025, 9:17 PM
VirginiaPoundstone moved this task from NEEDS ESTIMATION to NEEDS DISCUSSION on the Test Kitchen board.Jan 6 2025, 9:37 PM
VirginiaPoundstone added a project: Experimentation Lab Radar.Jan 6 2025, 9:38 PM
VirginiaPoundstone moved this task from NEEDS DISCUSSION to NEEDS ESTIMATION on the Test Kitchen board.Jan 6 2025, 9:39 PM
VirginiaPoundstone moved this task from NEEDS ESTIMATION to NEEDS DISCUSSION on the Test Kitchen board.
VirginiaPoundstone moved this task from NEEDS DISCUSSION to ADD DATA ENGINEERING TAG on the Test Kitchen board.Jan 14 2025, 11:12 PM
VirginiaPoundstone edited projects, added Data-Engineering; removed Test Kitchen.Jan 14 2025, 11:14 PM
Ahoelzl edited projects, added Data-Engineering (Q3 2025 January 1st - March 31th); removed Data-Engineering.Jan 21 2025, 6:51 PM
Ottomata added a project: Essential-Work.Jan 21 2025, 6:51 PM

@mforns to confirm whether this is indeed impacting unique devices reporting.

@mforns can you verify this?

Ahoelzl assigned this task to mforns.Jan 21 2025, 6:52 PM
mforns added a comment.Jan 30 2025, 8:28 PM

Will do.

YaroslavDubo added a project: Fundraising Sprint Unbreaking Now.Feb 5 2025, 6:48 PM
Aklapper lowered the priority of this task from Unbreak Now! to High.Mar 3 2025, 9:43 AM
Aklapper removed a project: Fundraising Sprint Unbreaking Now.

Resetting priority as this open task has been Unbreak now priority ("needs to be fixed immediately, setting anything else aside") for more than four months now, thus obviously does not qualify.

Ahoelzl edited projects, added Data-Engineering; removed Data-Engineering (Q3 2025 January 1st - March 31th).Apr 3 2025, 3:20 PM
Ahoelzl moved this task from Q3 2025 January 1st - March 31th to Next Up on the Data-Engineering board.
Back_ache subscribed.Nov 14 2025, 11:44 AM

deprechiatedresourceloader2025-11-14 112819.png (379×3 px, 50 KB)
added screenshot for clarity and to show this is still happened (when trying to save an edit in wikipedia

Back_ache mentioned this in T410135: Deprecated module "moment" used on veaction=editsource.Nov 14 2025, 11:52 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits