SameSite flag no longer default?
Hi,
I noticed that in the latest release (I tried both MacOS and Windows 11 ARM versions) that the "network.cookie.sameSite.laxByDefault" is no longer enabled, and cookies set by applications without specifying the flag, are not set with Lax and are sent in cross-origin requests. Could you clarify if this is intentional and why the change has been made?
Thanks
所有回覆 (7)
Version 149.0 by the way
選擇的解決方法
It was disabled much longer for me. They didn't plan to ship laxByDefault since 2024.
I don't think that something has been changed about it in 149.
Any reference on the rollback from defaulting to Lax? I can easily find that it was defaulted to Lax around 2020 or 2021, but can't find any reference or announcement around not being the default any longer. Most of the peers I deal with assumed and thought Firefox still defaulted, so FYI
See also:
- samesitelax - [meta] Enable sameSite=lax by default
(please do not comment in bug reports
https://bugzilla.mozilla.org/page.cgi?id=etiquette.html)
Bit different from this type of announcement https://hacks.mozilla.org/2020/08/changes-to-samesite-cookie-behavior/
Anyway.... Thanks for the clarification
Hi,
Since the answer appears to be found, I've marked TyDraniu's reply above as a solution to highlight it for other users. If you disagree, you can click the Undo button under it and then mark any other reply as a solution,