{"id":2314,"date":"2018-04-24T00:43:31","date_gmt":"2018-04-24T07:43:31","guid":{"rendered":"https:\/\/blog.mozilla.org\/security\/?p=2314"},"modified":"2018-04-24T00:47:10","modified_gmt":"2018-04-24T07:47:10","slug":"same-site-cookies-in-firefox-60","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2018\/04\/24\/same-site-cookies-in-firefox-60\/","title":{"rendered":"Supporting Same-Site Cookies in Firefox 60"},"content":{"rendered":"

Firefox 60 will introduce support for the same-site cookie attribute<\/a>, which allows developers to gain more control over cookies<\/a>. Since browsers will include cookies with every request to a website, most sites rely on this mechanism to determine whether users are logged in.<\/p>\n

Attackers can abuse the fact that cookies are automatically sent with every request to force a user to perform unwanted actions on the site where they are currently logged in. Such attacks, known as cross-site request forgeries<\/a> (CSRF), allow attackers who control third-party code to perform fraudulent actions on the user\u2019s behalf. Unfortunately current web architecture does not allow web applications to reliably distinguish between actions initiated by the user and those that are initiated by any of the third-party gadgets or scripts that they rely on.<\/p>\n

To compensate, the same-site cookie attribute allows a web application to advise the browser that cookies should only be sent if the request originates from the website the cookie came from. Requests triggered from a URL different than the one that appears in the URL bar will not include any of the cookies tagged with this new attribute.<\/p>\n

The same-site attribute can take one of two values: \u2018strict\u2019 or \u2018lax\u2019. In strict mode, same-site cookies will be withheld for any kind of cross-site usage. This includes all inbound links from external sites to the application. Visitors clicking on such a link will initially be treated as \u2018not being logged in\u2019 whether or not they have an active session with the site.<\/p>\n

The lax mode caters to applications which are incompatible with these restrictions. In this mode, same-site cookies will be withheld on cross-domain subrequests (e.g. images or frames), but will be sent whenever a user navigates safely<\/a> from an external site, for example by following a link.<\/p>\n

For the Mozilla Security Team:
\nChristoph Kerschbaumer, Mark Goodwin, Francois Marier<\/p>\n","protected":false},"excerpt":{"rendered":"

Firefox 60 will introduce support for the same-site cookie attribute, which allows developers to gain more control over cookies. Since browsers will include cookies with every request to a website, … Read more<\/a><\/p>\n","protected":false},"author":960,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[69],"tags":[],"coauthors":[280776,280774,45532],"yoast_head":"\nSupporting Same-Site Cookies in Firefox 60 - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2018\/04\/24\/same-site-cookies-in-firefox-60\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Christoph Kerschbaumer, Francois Marier, Mark Goodwin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2018\/04\/24\/same-site-cookies-in-firefox-60\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2018\/04\/24\/same-site-cookies-in-firefox-60\/\",\"name\":\"Supporting Same-Site Cookies in Firefox 60 - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"datePublished\":\"2018-04-24T07:43:31+00:00\",\"dateModified\":\"2018-04-24T07:47:10+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/2aa58e904cdee9bfd7aef6290ccfba5b\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2018\/04\/24\/same-site-cookies-in-firefox-60\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2018\/04\/24\/same-site-cookies-in-firefox-60\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2018\/04\/24\/same-site-cookies-in-firefox-60\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Supporting Same-Site Cookies in Firefox 60\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/2aa58e904cdee9bfd7aef6290ccfba5b\",\"name\":\"Christoph Kerschbaumer\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/c2f32f82e57d2d276655d533c069c73d\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/34c427186fcdd42f4c9c57a8bd0bcd7b?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/34c427186fcdd42f4c9c57a8bd0bcd7b?s=96&d=identicon&r=g\",\"caption\":\"Christoph Kerschbaumer\"},\"description\":\"Manager, Security Engineering\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Supporting Same-Site Cookies in Firefox 60 - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2018\/04\/24\/same-site-cookies-in-firefox-60\/","twitter_misc":{"Written by":"Christoph Kerschbaumer, Francois Marier, Mark Goodwin","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2018\/04\/24\/same-site-cookies-in-firefox-60\/","url":"https:\/\/blog.mozilla.org\/security\/2018\/04\/24\/same-site-cookies-in-firefox-60\/","name":"Supporting Same-Site Cookies in Firefox 60 - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"datePublished":"2018-04-24T07:43:31+00:00","dateModified":"2018-04-24T07:47:10+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/2aa58e904cdee9bfd7aef6290ccfba5b"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2018\/04\/24\/same-site-cookies-in-firefox-60\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2018\/04\/24\/same-site-cookies-in-firefox-60\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2018\/04\/24\/same-site-cookies-in-firefox-60\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"Supporting Same-Site Cookies in Firefox 60"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/2aa58e904cdee9bfd7aef6290ccfba5b","name":"Christoph Kerschbaumer","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/c2f32f82e57d2d276655d533c069c73d","url":"https:\/\/secure.gravatar.com\/avatar\/34c427186fcdd42f4c9c57a8bd0bcd7b?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/34c427186fcdd42f4c9c57a8bd0bcd7b?s=96&d=identicon&r=g","caption":"Christoph Kerschbaumer"},"description":"Manager, Security Engineering"}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2314"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/960"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=2314"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2314\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=2314"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=2314"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=2314"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=2314"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}