Hacker News new | past | comments | ask | show | jobs | submit login

Isn't it the case that you can easily turn it off, in your own user agent?

For example, in this case (Firefox), to turn this new behaviour on ahead of time, the article says you can go to about:config and set network.cookie.sameSite.laxByDefault and network.cookie.sameSite.noneRequiresSecure . I'm sort of hoping/assuming that after this becomes the default, you'll still be able to override it using those exact about.config properties.




You should probably also do that in a separate FF profile, which is easy enough. After all, you probably shouldn't disable security/privacy features like this for your normal browsing.


Firefox does have that, thank you, but I think the Chrome equivalents don't do the trick. I believed for no reason that would be the problem on Firefox too.


For Chrome:

chrome://flags/#same-site-by-default-cookies

chrome://flags/#cookies-without-same-site-must-be-secure

I found that at least the #same-site-by-default-cookies flag behaved as I would expect when setting it to "Disabled". Use case was to load an iframe that sets it's own cookies with no SameSite value and still have that value default to "None".

We fixed this issue properly ("SameSite=None; Secure" in the cookie set in the iframe), but using the #same-site-by-default-cookies flag was a workaround for a little while.

What was a bit strange was the default behavior on Chrome was different for users even on the same Chrome version. They seemed to be rolling it out in phases. More info on that here: https://www.chromium.org/updates/same-site


We figured it out. They moved some of CSP/X-F-O to `extraHeaders` in a recent release and it was being rolled out slowly across the world, so we were on an early batch of rollouts. Works now.


Hmm, I did toggle those flags over to no avail. Perhaps linkedin.com is using additional protections that don't show up. It _is_ a 200, but the Chrome page just shows the broken icon with "www.linkedin.com refused to connect." even with x-f-o suppressed, CSP suppressed, and those flags tripped. All on 84.0.4147.105 on Linux/Mac.

Ah well, I guess I take the L on this.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: