SessionCookies.jsm does not restore the SameSite flag of session cookies
Categories
(Firefox :: Session Restore, enhancement, P3)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox70 | --- | fixed |
People
(Reporter: robwu, Assigned: dennisschagt)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
|
(deleted),
text/x-phabricator-request
|
Details |
SessionCookiesInternal.restore unconditionally uses SAMESITE_NONE as the sameSite flag. This is incorrect, the sameSite flag should have been saved at CookieStore.add and be restored later.
The effect of this is that after a session restore, session cookies could inadvertently be included in requests where they shouldn't have been included (when SameSite=Lax or SameSite=Strict).
|
||
Comment 1•5 years ago
|
||
The priority flag is not set for this bug.
:mikedeboer, could you have a look please?
For more information, please visit auto_nag documentation.
|
||
Comment 2•5 years ago
|
||
Sounds plausible to me, but I unfortunately don't have time to work on this right now. Please feel free to pick this up - I'd be more than happy to mentor!
|
Assignee | |
Comment 3•5 years ago
|
||
Bug 1556151 - SessionStore: Save and restore cookie.sameSite flag
|
|
Assignee | |
Comment 4•5 years ago
|
||
I just submitted a patch and added :mikedeboer as reviewer.
:mikedeboer, Could you assign this bug to me?
This is one of my first contributions to Firefox. Please let me know if there is anything I can improve on.
|
|
||
Updated•5 years ago
|
|
|
Assignee | |
Updated•5 years ago
|
Pushed by dvarga@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/922be4adb708
SessionStore: Save and restore cookie.sameSite flag r=mikedeboer
|
||
Comment 6•5 years ago
|
||
| bugherder | ||
|
|
||
Comment 7•5 years ago
|
||
Dennis, well done for (one of) your first contribution(s) to Firefox! I'm looking forward to many more in the future!
Description
•