Security/SameSiteCookies: Difference between revisions
< Security
Jump to navigation
Jump to search
(→Implementation: expand description of 1286858) |
(→Implementation Bugs: 1456652 has landed in Nightly) |
||
| (26 intermediate revisions by the same user not shown) | |||
| Line 17: | Line 17: | ||
| {{nbug|1452496}} || Block setting in cross-origin contexts || Christoph || Yes || Yes || Yes | | {{nbug|1452496}} || Block setting in cross-origin contexts || Christoph || Yes || Yes || Yes | ||
|- | |- | ||
| {{nbug|1452699}} || Gating pref || Francois || Yes || | | {{nbug|1452699}} || Gating pref || Francois || Yes || Yes || Yes | ||
|} | |} | ||
| Line 32: | Line 30: | ||
| {{nbug|1453814}} || Bypass via redirects || Christoph || Yes || Yes || Yes | | {{nbug|1453814}} || Bypass via redirects || Christoph || Yes || Yes || Yes | ||
|- | |- | ||
| {{nbug|1453818}} || Bypass in reader mode || Francois || | | {{nbug|1453818}} || Bypass in reader mode || Francois || Yes || Yes || No | ||
|- | |- | ||
| {{nbug|1454027}} || Bypass in links within iframes || Christoph || | | {{nbug|1454027}} || Bypass in links within iframes || Christoph || Yes || Yes || Yes | ||
|- | |- | ||
| {{nbug|1454242}} || Stop relying on NS_IsSameSiteForeign || Christoph || Yes || Yes || Yes | | {{nbug|1454242}} || Stop relying on NS_IsSameSiteForeign || Christoph || Yes || Yes || Yes | ||
|- | |||
| {{nbug|1454723}} || Handle sandboxed iframes correctly || - || - || - || No | |||
|- | |||
| {{nbug|1454914}} || Don't treat WebExtensions load as foreign || Christoph || Yes || Yes || Yes | |||
|- | |||
| {{nbug|1455174}} || Inconsistencty with drag n' drop || - || - || - || No | |||
|- | |||
| {{nbug|1455342}} || Bypass via Save As || - || - || - || No | |||
|- | |||
| {{nbug|1456106}} || Bypass via Flash || - || - || - || No | |||
|- | |||
| {{nbug|1456652}} || Reader mode bypass || Gijs || Yes || - || No | |||
|} | |} | ||
| Line 54: | Line 64: | ||
! Bug !! Description !! Assignee !! In 61 !! In 60 !! Required | ! Bug !! Description !! Assignee !! In 61 !! In 60 !! Required | ||
|- | |- | ||
| {{nbug|1454605}} || Investigate "WPT" failures || - || No || No || No | | {{nbug|1454605}} || Investigate "WPT" failures || - || - || - || No | ||
|- | |||
| {{nbug|1454721}} || Test about:blank and about:srcdoc || Christoph || Yes || - || No | |||
|- | |||
| {{nbug|1455162}} || Test about: URLs with and without same-site.enabled || Francois || Yes || - || No | |||
|- | |||
| {{nbug|1455406}} || Convert test_same_site_cookies_webextension to an xpcshell test || - || - || - || No | |||
|- | |||
| {{nbug|1456407}} || Test meta refresh || Yes || - || - || No | |||
|- | |- | ||
| {{nbug| | | {{nbug|1456408}} || Test redirected top-level pages || - || - || - || No | ||
|- | |- | ||
| - || Fix [https://github.com/mikewest/rfc6265-biz rfc6265-biz] invalid attribute tests || - || - || - || No | | - || Fix [https://github.com/mikewest/rfc6265-biz rfc6265-biz] invalid attribute tests || - || - || - || No | ||
| Line 71: | Line 89: | ||
| {{nbug|1454781}} || Console warning || - || No | | {{nbug|1454781}} || Console warning || - || No | ||
|- | |- | ||
| [https:// | | [https://blog.mozilla.org/security/2018/04/24/same-site-cookies-in-firefox-60/ 2018-04-24] || Announcement blog post || - || Yes | ||
|} | |} | ||
Latest revision as of 15:54, 30 April 2018
SameSite is a new cookie attribute which prevents the browser from sending cookies along with cross-site requests and provides a layer of protection against cross-site request forgery attacks.
Implementation
| Bug | Description | Assignee | In 61 | In 60 | Required |
|---|---|---|---|---|---|
| 1286858 | Cookie storage and attribute parsing | Mark | Yes | Yes | Yes |
| 1286861 | Pass data via GetCookieString | Christoph | Yes | Yes | Yes |
| 1452496 | Block setting in cross-origin contexts | Christoph | Yes | Yes | Yes |
| 1452699 | Gating pref | Francois | Yes | Yes | Yes |
Implementation Bugs
| Bug | Description | Assignee | In 61 | In 60 | Required |
|---|---|---|---|---|---|
| 1430803 | Invalid SameSite attributes | Francois | Yes | Yes | Yes |
| 1453814 | Bypass via redirects | Christoph | Yes | Yes | Yes |
| 1453818 | Bypass in reader mode | Francois | Yes | Yes | No |
| 1454027 | Bypass in links within iframes | Christoph | Yes | Yes | Yes |
| 1454242 | Stop relying on NS_IsSameSiteForeign | Christoph | Yes | Yes | Yes |
| 1454723 | Handle sandboxed iframes correctly | - | - | - | No |
| 1454914 | Don't treat WebExtensions load as foreign | Christoph | Yes | Yes | Yes |
| 1455174 | Inconsistencty with drag n' drop | - | - | - | No |
| 1455342 | Bypass via Save As | - | - | - | No |
| 1456106 | Bypass via Flash | - | - | - | No |
| 1456652 | Reader mode bypass | Gijs | Yes | - | No |
Specification Bugs
| Link | Description | Assignee | Done |
|---|---|---|---|
| http-extensions #574 | Inconsistency in handling of invalid attribute values | Francois | Yes |
Tests
| Bug | Description | Assignee | In 61 | In 60 | Required |
|---|---|---|---|---|---|
| 1454605 | Investigate "WPT" failures | - | - | - | No |
| 1454721 | Test about:blank and about:srcdoc | Christoph | Yes | - | No |
| 1455162 | Test about: URLs with and without same-site.enabled | Francois | Yes | - | No |
| 1455406 | Convert test_same_site_cookies_webextension to an xpcshell test | - | - | - | No |
| 1456407 | Test meta refresh | Yes | - | - | No |
| 1456408 | Test redirected top-level pages | - | - | - | No |
| - | Fix rfc6265-biz invalid attribute tests | - | - | - | No |
Developer Documentation
| Link | Description | Assignee | Done |
|---|---|---|---|
| 1452715 | Devtools side-panel | - | No |
| 1454781 | Console warning | - | No |
| 2018-04-24 | Announcement blog post | - | Yes |