A "SameSite" attribute which has no value or has an invalid value should have the same effect as SameSite=Strict
Reported by
l446240525@gmail.com,
Apr 6 2016
|
||
Issue descriptionspec: https://tools.ietf.org/html/draft-west-first-party-cookies-06#section-3.2 This is a cookie parser (cookies/parsed_cookie.cc) bug.
,
Apr 6 2016
I think this is probably actually both a spec and implementation bug. We should ignore cookies with an invalid 'SameSite' attribute.
,
Apr 6 2016
https://codereview.chromium.org/1868493002 out for review.
,
Apr 6 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/1a9ce0d2b4854d406c62c23af936c633b2777feb commit 1a9ce0d2b4854d406c62c23af936c633b2777feb Author: mkwst <mkwst@chromium.org> Date: Wed Apr 06 19:44:21 2016 Ignore cookies with invalid 'SameSite' attribute values. As per https://tools.ietf.org/html/draft-west-first-party-cookies-07#section-4.1 BUG= 600983 Review URL: https://codereview.chromium.org/1868493002 Cr-Commit-Position: refs/heads/master@{#385525} [modify] https://crrev.com/1a9ce0d2b4854d406c62c23af936c633b2777feb/net/cookies/canonical_cookie_unittest.cc [modify] https://crrev.com/1a9ce0d2b4854d406c62c23af936c633b2777feb/net/cookies/parsed_cookie.cc [modify] https://crrev.com/1a9ce0d2b4854d406c62c23af936c633b2777feb/net/cookies/parsed_cookie.h [modify] https://crrev.com/1a9ce0d2b4854d406c62c23af936c633b2777feb/net/cookies/parsed_cookie_unittest.cc
,
Apr 7 2016
,
Jun 7 2016
Issue 617569 has been merged into this issue.
,
Apr 13 2018
The spec changed in 2018 and the behavior here was changed in Issue 635882 . Now, a cookie with an empty or invalid SameSite attribute value ignores the SameSite attribute, treating the cookie as a plain cookie with no restrictions. |
||
►
Sign in to add a comment |
||
Comment 1 by mkwst@chromium.org
, Apr 6 2016Components: Internals>Network>Cookies Blink>SecurityFeature
Labels: -Pri-3 M-51 Pri-2
Owner: mkwst@chromium.org
Status: Assigned (was: Unconfirmed)