Skip to content

[HttpFoundation] Add support for SameSite=None cookies #31467

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
javiereguiluz opened this issue May 10, 2019 · 2 comments
Closed

[HttpFoundation] Add support for SameSite=None cookies #31467

javiereguiluz opened this issue May 10, 2019 · 2 comments
Labels
Bug Help wanted Issues and PRs which are looking for volunteers to complete them. HttpFoundation Status: Needs Review

Comments

@javiereguiluz
Copy link
Member

Description
Google has announced some changes related to users privacy that affect to SameSite cookies introduced in #19104.

Starting from Chrome 76 [...] Cookies without the SameSite attribute will 
not be available in a third-party context. Developers will need to declare 
cookies that need to be available on third-party sites to Chrome with 
SameSite=None.

Google says this will allow Chrome users to clear cross-site cookies and 
leave single domain cookies that are used for logins and settings intact.

Full details: https://web.dev/samesite-cookies-explained/
@javiereguiluz javiereguiluz added this to the next milestone May 10, 2019
@markitosgv
Copy link
Contributor

markitosgv commented May 10, 2019
edited
Loading

Thanks @javiereguiluz!

What do you think about using Lax as default cookie value?

@nicolas-grekas
Copy link
Member

I would consider this a bug fix, should be fixed on 3.4 (same as we consider support for eg new PHP versions bug fixes)

@markitosgv we cannot change the default value without breaking BC.

@nicolas-grekas nicolas-grekas removed this from the next milestone May 10, 2019
@nicolas-grekas nicolas-grekas added the Help wanted Issues and PRs which are looking for volunteers to complete them. label May 10, 2019
This was referenced May 10, 2019
Closed
Merged
@staabm staabm mentioned this issue May 11, 2019
Merged
nicolas-grekas added a commit that referenced this issue May 11, 2019
@nicolas-grekas
bug #31475 [HttpFoundation] Allow set 'None' on samesite cookie flag …
11f8a1e 
…(markitosgv)

This PR was merged into the 3.4 branch.

Discussion
----------

[HttpFoundation] Allow set 'None' on samesite cookie flag

Allow set samesite cookie flag to 'None' value

| Q             | A
| ------------- | ---
| Branch?       | 3.4
| Bug fix?      | yes
| New feature?  | no
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets | #31467
| License       | MIT

Google introduces new Chrome policy, marking all none setted samesite flag to 'Strict' by default. If you want to allow third party cookies you must set samesite flag to None.

This PR fixes #31467, allow to put samesite Cookie flag to None.

Commits
-------

8bac3d6 Allow set 'None' on samesite cookie flag
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Help wanted Issues and PRs which are looking for volunteers to complete them. HttpFoundation Status: Needs Review
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@javiereguiluz @nicolas-grekas @markitosgv @carsonbot