Security/SameSiteCookies

From MozillaWiki
< Security
Revision as of 15:54, 30 April 2018 by Fmarier (talk | contribs) (→‎Implementation Bugs: 1456652 has landed in Nightly)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

SameSite is a new cookie attribute which prevents the browser from sending cookies along with cross-site requests and provides a layer of protection against cross-site request forgery attacks.

Implementation

Bug Description Assignee In 61 In 60 Required
1286858 Cookie storage and attribute parsing Mark Yes Yes Yes
1286861 Pass data via GetCookieString Christoph Yes Yes Yes
1452496 Block setting in cross-origin contexts Christoph Yes Yes Yes
1452699 Gating pref Francois Yes Yes Yes

Implementation Bugs

Bug Description Assignee In 61 In 60 Required
1430803 Invalid SameSite attributes Francois Yes Yes Yes
1453814 Bypass via redirects Christoph Yes Yes Yes
1453818 Bypass in reader mode Francois Yes Yes No
1454027 Bypass in links within iframes Christoph Yes Yes Yes
1454242 Stop relying on NS_IsSameSiteForeign Christoph Yes Yes Yes
1454723 Handle sandboxed iframes correctly - - - No
1454914 Don't treat WebExtensions load as foreign Christoph Yes Yes Yes
1455174 Inconsistencty with drag n' drop - - - No
1455342 Bypass via Save As - - - No
1456106 Bypass via Flash - - - No
1456652 Reader mode bypass Gijs Yes - No

Specification Bugs

Link Description Assignee Done
http-extensions #574 Inconsistency in handling of invalid attribute values Francois Yes

Tests

Bug Description Assignee In 61 In 60 Required
1454605 Investigate "WPT" failures - - - No
1454721 Test about:blank and about:srcdoc Christoph Yes - No
1455162 Test about: URLs with and without same-site.enabled Francois Yes - No
1455406 Convert test_same_site_cookies_webextension to an xpcshell test - - - No
1456407 Test meta refresh Yes - - No
1456408 Test redirected top-level pages - - - No
- Fix rfc6265-biz invalid attribute tests - - - No

Developer Documentation

Link Description Assignee Done
1452715 Devtools side-panel - No
1454781 Console warning - No
2018-04-24 Announcement blog post - Yes
Retrieved from "https://wiki.mozilla.org/index.php?title=Security/SameSiteCookies&oldid=1193017"