back to article Mozilla warns more Firefox website breakage to come because devs just aren't checking for SameSite snafus

Mozilla on Wednesday warned that an ongoing change in the way Firefox handles browser cookies may interfere with websites – and urged web developers to test their code. The transition, backed by other browser vendors, has to do with the SameSite attribute, which is used to declare how browsers should handle cookies. Described …

  1. Anonymous Coward
    Anonymous Coward

    Standards?

    Well, isn't this happeneing because Google are choosing to change the standard without bothering to go through the process of settling it in the standards body?

    I'm all for general improvements in security. But this ad-hoc, we're doing it because we're a monopoly approach is just Google asserting itself as the defacto standards setter. The more they're allowed to do this the more control over the whole web they'll get.

    1. Charlie Clark Silver badge

      Re: Standards?

      If you look at the history of the development of web standards, this is the way it's always worked because otherwise you get no movement. This is why WHATWG was founded in the first place – largely because Microsoft was blocking any changes – and how most things like http/2 have been introduced.

      1. Anonymous Coward
        Anonymous Coward

        Re: Standards?

        Hang on, you’re saying that one big corporation throwing its weight around is bad, but another doing so is OK, and that it’s alright for people in a stands group who don’t like what it’s doing to clear off and set up a competing group leading to an even more fragmented ecosystem which is then ripe for the purposes of a big monopolistic online services corporation to come in and use its muscle to become the de facto standards setter and then use that to twist the web in their own favour and to the disadvantage of their competitors by making sure they don’t quite follow the official standards in their own browser and services, all whilst professing “Don’t do evil”?

        I don’t think that’s alright at all.

        And I don’t think that http/2 is anything to be proud of either.

        1. Charlie Clark Silver badge
          Stop

          Re: Standards?

          Hang on, you’re saying that one big corporation throwing its weight around is bad, but another doing so is OK

          No, that's not what i'm saying at all. You can put that strawman down.

          1. Anonymous Coward
            Anonymous Coward

            Re: Standards?

            Ah, so you agree that Google having de facto control over the standards is a bad thing, just as it was when MS were endeavouring to take control of the web.

            Welcome to the club.

    2. big_D Silver badge

      Re: Standards?

      I be happy if Strict was the only option.

  2. Tom Chiverton 1

    no clear definition of "breakage,"

    How about "in the beta I press login and it doesn't. In the release its fine"...

    1. Anonymous Coward
      Anonymous Coward

      Re: no clear definition of "breakage,"

      That is only true for login pages though. I think they mean a more general definition. Something like "I can perform a task using the release versional but it fails in the beta" would be a start, but it needs some level of protection from facebook devs raising a bug because the "task" they want to perform is to track you everywhere you go.

      1. Anonymous Coward
        Anonymous Coward

        Re: Have an up vote from me

        for mentioning F******k. The same reasoning can also apply to Google can't it eh?

        And, I hope that MS gets taken to task for flagging that you have modded your hosts file. So what if I choose to block www.microsoft.com. It is my frigging compute isn't it?

        What? It isn't? Ok. Bye-bye Windows. Most of us don't need you these days anyway.

  3. IGotOut Silver badge

    How about...

    ...if it doesn't work, a big red banner comes up saying "This site is using out of date trchnolgy. Be careful using it"

    Then the problem would be fixed pretty quickly.

    1. ectel

      Re: How about...

      But most websites don't need this level of functionality. The time and effort involved to update a minor site for a local club or something is not going to happen.

      If the functionality is needed then yes some sort of warning, but something that complains about EVERY website that is not up to latest standard (and that is a nebulous thing to describe) is going to get ignored and just annoy the user, so that they won't use the browser that flags it and will go to one that doesn't

      1. Anonymous Coward
        Anonymous Coward

        Re: How about...

        I<cough cough>erm... my neighbour is extremely annoyed his favourite pr0n site has stopped working properly

        1. Alan Bourke

          Re: How about...

          I'm told, ahem, that popular site Cross Site Dominatrixes is having issues. Apparently.

    2. Pascal Monett Silver badge

      Re: How about...

      The problem is easy to fix. Google is considering that now, the SameSite default value is Lax instead of none.

      Just go and set it to None and the problem goes away.

      Of course, if you've never paid attention to that, you might not know where to set it. Time to learn.

    3. big_D Silver badge

      Re: How about...

      Mozilla can't, because it doesn't know whether the site is working properly or not. It just interprets what the site tells it to display/do. If the site is broken, the user will notice the site is broken, but the browser has just followed the instructions and knows what it has done has completed successfully.

  4. Paul Herber Silver badge

    Why the problem?

    On website for domain xyz.com only cookies relating to xyz.com should be accessible. Nothing else.

    Any code within that page that accesses some other domain e.g. facexyz.com can only access cookies for facexyz.com for that instance, and cookies for xyz.com are not accessible. Simples. One cookie at a time.

    1. Ken Hagan Gold badge

      Re: Why the problem?

      I suspect this (entirely sensible) plan falls flat when confronted by a website that pulls resources, including code, from a dozen different domains because that's easier than actually taking responsibility for serving them up from your own server.

      On the other hand, this might not be a bad thing. If the site was thrown together by an idiot, I probably don't want it to work as they intended and probably do want to be encouraged to find an alternative site.

      1. Doctor Syntax Silver badge

        Re: Why the problem?

        In fact, a good starting point is to regard such sites as broken anyway.

    2. Potemkine! Silver badge
      Alert

      Re: Why the problem?

      Sadly it is not enough, because of subdomains registered and used by third parties. It's a way for them to elude detection and blocking. It leads to security vulnerabilities

      This article (in French here and approximatively translated in english by google here) shows how an online bank website implements such things, leading to advertising companies being able to access your bank accounts.

  5. Doctor Syntax Silver badge

    "The Register asked the UK's Cabinet Office about this but given the time difference with our San Francisco office"

    About a decade.

    1. Boris the Cockroach Silver badge
      Joke

      Its the old

      sign at Heathrow

      "Welcome to London, please put your watches back 70 yrs"

      1. Anonymous Coward
        Anonymous Coward

        Re: Its the old

        "Welcome to London"?

        Shurely some mistake. The UK (well, (some of) England, mostly) doesn't seem to do "welcome" these days.

        "Go away, you you horrible funny-speaking and/or funny-coloured people" would very sadly be a more appropriate sign these days.

        The rest of us weep that our country seems to have been taken over by xenophobes and racists, and we are quite nice people, honest. We'll admit that we're a bit puzzled why you decide to move to our crowded, damp, and rather ramshackle country, but, as long as you're here legitimately and honestly, we do like that you have chosen to do so (and we would hope for the same if we chose to emigrate elsewhere). Any country where everyone was near-enough exactly the same would be horrible.

        1. Claptrap314 Silver badge

          Re: Its the old

          Yeah--because English-Irish relations have been SO wonderful since forever. And English-Scott. And English-Frog<bs><bs>ench.

          Give it a rest. People get along better with people who are like them. The idea that we should make the effort to get along with people NOT like us is a fine one. You should try it.

          1. Anonymous Coward
            Anonymous Coward

            Re: Its the old

            Thanks for backing up my point that it's sadly mostly the English who seem to have problems getting on with their neighbours, not that there's not also similar corresponding feelings among some of the neighbouring peoples as well.

            And, yes, I do think that we should all try to get on with each other.

            We're all much the same as people at the end of the day; the thing that tends to cause most problems, sadly, tends to be religion infecting its adherents with intolerant or oppressive beliefs. It's the one thing that I think that all of us would really be much better off without.

      2. Doctor Syntax Silver badge

        Re: Its the old

        Sign at Aldergrove: "Please set your watch to 1690".

  6. tip pc Silver badge

    does my browser have this enabled or not?

    I'm more concerned by the fact that browser vendors are intentionally modifying the behaviour of some browsers and the users won't necessarily know (even though it may be beta software it should be clear and obvious what the user is getting & not some random or unspecified allocation).

    Chrome --> "it's only available for an unspecified subset of users"

    FireFox --> "SameSite behavior has been activated for 50 per cent of beta users."

    1. ilovecookiez

      Re: does my browser have this enabled or not?

      Well, at least that explains why Facebook is working only on 66% of my computers.

      Firefox Beta 79 on Windows 7 -> Working

      Firefox Beta 79 on macOS Mojave -> Working

      Firefox Developer Edition 80 on Windows 10 -> Broken, lots of web requests unresolved on Network tab

      1. Circadian
        Devil

        Re: does my browser have this enabled or not?

        @ilovecookiez

        I’d blame windows 10. Still, I blame win10 for everything, even the Mojave instance...

        1. Geoffrey W

          Re: does my browser have this enabled or not?

          You should be more specific; Blame Bill Gates for starting the company in the first place. He knew what he was up to from day zero. What a bar-steward!

  7. Henry Wertz 1 Gold badge

    Not too bad to fix

    So, I'm not a big fan of rolling out breaking changes on release (ala Chrome); rolling it out in a Beta is fine.

    But independent of that... sites this does break, at least they don't really need to "fix" the site (some redesign, moving bits to different domains or whatever, so the cookie use is "Lax" at least); they should, but at least they can just put the "SameSite: none" or the like into the headers.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like