Starting with Beta 79 today, we are rolling out this change to the default behavior of SameSite cookies to a small percentage of the beta population. The initial target is 10%, slowly increasing to 50% by the end of the beta cycle. We will hold at 50% for at least two more beta cycles, at which point we will consider introducing this to a small percentage of the Firefox release population.
Known site breakage is being tracked here: https://bugzilla.mozilla.org/show_bug.cgi?id=1618610 Web developers can find more information here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite#Fixing_common_warnings A good overview of this issue can be found here: https://web.dev/samesite-cookies-explained/ Mike Conca Group Product Manager, Firefox Web Technologies On Thursday, May 23, 2019 at 2:34:14 AM UTC-6, Andrea Marchesini wrote: > Link to the proposal: > https://tools.ietf.org/html/draft-west-cookie-incrementalism-00 > > Summary: > "1. Treat the lack of an explicit "SameSite" attribute as > "SameSite=Lax". That is, the "Set-Cookie" value "key=value" will > produce a cookie equivalent to "key=value; SameSite=Lax". > Cookies that require cross-site delivery can explicitly opt-into > such behavior by asserting "SameSite=None" when creating a > cookie. > 2. Require the "Secure" attribute to be set for any cookie which > asserts "SameSite=None" (similar conceptually to the behavior for > the "__Secure-" prefix). That is, the "Set-Cookie" value > "key=value; SameSite=None; Secure" will be accepted, while > "key=value; SameSite=None" will be rejected." _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
