On Tue, Sep 15, 2020 at 10:13 AM Michael Reeps <mre...@gmail.com> wrote:
> Thank you for the prompt response to my email. I guess I interpreted the > standard to mean only when the cookie was intended for cross-site delivery, > which these are not: > If the bug carries the SameSite=None attribute how could the browser possibly know the cookie is only used samesite? In fact it would appear the cookie has gone out of its way to announce it is NOT only used on the same site. The "reject" language in the spec seems pretty clear cut. > I see this message with nearly all of my Adobe Analytics cookies, Google > Analytics, and a number of others, and am going to be reliant on those > vendors to address this issue. The folks at Adobe Client Care were > completely unaware of Mozilla's interpretation when I reported it, which > differs from Chrome's. Can you give any insight as to when "soon" is in > "will be soon rejected"? > That we differ from Chrome is concerning. The main reason we're following the spec so carefully is in order to be compatible with the web's 800lb gorilla. As it happens I'll be in a meeting with the spec author later today; I'll ask him about Chrome's implementation of that part, and whether the spec needs an update. I don't know how soon -- better question for Andrea (original poster) who implemented this. I suspect it's "when Chrome does it first". We like the security improvement, but there are already enough "works in Chrome" sites through no fault of our own. We can't afford adding to that number unnecessarily through a self-inflicted wound. _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
