SameSite is a new cookie attribute which prevents the browser from sending cookies along with cross-site requests and provides a layer of protection against cross-site request forgery attacks.

Implementation

Bug	Description	Assignee	In 61	In 60	Required
1286858	Cookie storage and attribute parsing	Mark	Yes	Yes	Yes
1286861	Pass data via GetCookieString	Christoph	Yes	Yes	Yes
1452496	Block setting in cross-origin contexts	Christoph	Yes	Yes	Yes
1452699	Gating pref	Francois	Yes	Yes	Yes

Implementation Bugs

Bug	Description	Assignee	In 61	In 60	Required
1430803	Invalid SameSite attributes	Francois	Yes	Yes	Yes
1453814	Bypass via redirects	Christoph	Yes	Yes	Yes
1453818	Bypass in reader mode	Francois	Yes	Yes	No
1454027	Bypass in links within iframes	Christoph	Yes	Yes	Yes
1454242	Stop relying on NS_IsSameSiteForeign	Christoph	Yes	Yes	Yes
1454723	Handle sandboxed iframes correctly	-	-	-	No
1454914	Don't treat WebExtensions load as foreign	Christoph	Yes	Yes	Yes
1455174	Inconsistencty with drag n' drop	-	-	-	No
1455342	Bypass via Save As	-	-	-	No
1456106	Bypass via Flash	-	-	-	No
1456652	Reader mode bypass	Gijs	Yes	-	No

Specification Bugs

Link	Description	Assignee	Done
http-extensions #574	Inconsistency in handling of invalid attribute values	Francois	Yes

Tests

Bug	Description	Assignee	In 61	In 60	Required
1454605	Investigate "WPT" failures	-	-	-	No
1454721	Test about:blank and about:srcdoc	Christoph	Yes	-	No
1455162	Test about: URLs with and without same-site.enabled	Francois	Yes	-	No
1455406	Convert test_same_site_cookies_webextension to an xpcshell test	-	-	-	No
1456407	Test meta refresh	Yes	-	-	No
1456408	Test redirected top-level pages	-	-	-	No
-	Fix rfc6265-biz invalid attribute tests	-	-	-	No

Developer Documentation

Link	Description	Assignee	Done
1452715	Devtools side-panel	-	No
1454781	Console warning	-	No
2018-04-24	Announcement blog post	-	Yes

Security/SameSiteCookies

Contents

Implementation

Implementation Bugs

Specification Bugs

Tests

Developer Documentation