SameSite is a new cookie attribute which prevents the browser from sending cookies along with cross-site requests and provides a layer of protection against cross-site request forgery attacks.
Implementation
| Bug |
Description |
Assignee |
In 61 |
In 60 |
Required
|
| 1286858 |
Cookie storage and attribute parsing |
Mark |
Yes |
Yes |
Yes
|
| 1286861 |
Pass data via GetCookieString |
Christoph |
Yes |
Yes |
Yes
|
| 1452496 |
Block setting in cross-origin contexts |
Christoph |
Yes |
Yes |
Yes
|
| 1452699 |
Gating pref |
Francois |
Yes |
No |
Yes
|
| 1454723 |
Support for sandboxed iframes |
- |
- |
- |
No
|
Implementation Bugs
| Bug |
Description |
Assignee |
In 61 |
In 60 |
Required
|
| 1430803 |
Invalid SameSite attributes |
Francois |
Yes |
Yes |
Yes
|
| 1453814 |
Bypass via redirects |
Christoph |
Yes |
Yes |
Yes
|
| 1453818 |
Bypass in reader mode |
Francois |
No |
No |
No
|
| 1454027 |
Bypass in links within iframes |
Christoph |
Yes |
Yes |
Yes
|
| 1454242 |
Stop relying on NS_IsSameSiteForeign |
Christoph |
Yes |
Yes |
Yes
|
| 1454914 |
Don't treat WebExtensions load as foreign |
Christoph |
No |
No |
Yes
|
| 1455157 |
ThirdPartyUtil needs to treat more schemes as first-party |
- |
No |
No |
No
|
Specification Bugs
| Link |
Description |
Assignee |
Done
|
| http-extensions #574 |
Inconsistency in handling of invalid attribute values |
Francois |
Yes
|
Tests
| Bug |
Description |
Assignee |
In 61 |
In 60 |
Required
|
| 1454605 |
Investigate "WPT" failures |
- |
No |
No |
No
|
| 1454721 |
Test about:blank and about:srcdoc |
Christoph |
Yes |
No |
Yes
|
| - |
Fix rfc6265-biz invalid attribute tests |
- |
- |
- |
No
|
Developer Documentation
| Link |
Description |
Assignee |
Done
|
| 1452715 |
Devtools side-panel |
- |
No
|
| 1454781 |
Console warning |
- |
No
|
| draft |
Announcement blog post |
- |
No
|