Just noticed this warning in Firefox's console while on a prod page:
Das Cookie “pouetSettings” wird in Zukunft bald abgelehnt werden, da es für das Attribut "sameSite" entweder "none" oder einen ungültigen Wert angibt, ohne das "secure"-Attribut zu verwenden. Weitere Informationen zum "sameSite"-Attribut finden Sie unter https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite
It basically says the cookie will be rejected soon-ish as it sets sameSite to "none" or an invalid value while not setting the secure cookie flag at the same time.
Note: Standards related to the Cookie SameSite attribute recently changed such that:
The cookie-sending behavior if SameSite is not specified is SameSite=Lax. Previously the default was that cookies were sent for all requests.
Cookies with SameSite=None must now also specify the Secure attribute (they require a secure context/HTTPS).
and
Note: Lax replaced None as the default value in order to ensure that users have reasonably robust defense against some classes of cross-site request forgery (CSRF) attacks.
I'm not yet sure (I'm tired) if it could be related to:
The cookie being set on my browser before (whenever that happened) the browser (if that is the relevant element here) started defaulting to SameSite=Lax. My local cookie was created April 1st, 2021 though, so at least somewhat recent. And my browser version is LTS, so not the latest and greatest.
The custom cookie library from October 2008 doing something preventing those modern defaults.
For the record, in my browser both Pouet cookies (pouetSettings and POUETSESS3) have these settings
HttpOnly=false
Secure=false
SameSite=None
I run a site that sets a cookie with these settings and Firefox does not seem to complain about it. However, it is only valid to the end of the browser session, so that might make a difference.
Given that Pouet is served on HTTPS these days, it might be in order to set it with these settings (also something I do on a site, at least for authentication cookies):
Just noticed this warning in Firefox's console while on a prod page:
It basically says the cookie will be rejected soon-ish as it sets
sameSiteto"none"or an invalid value while not setting the secure cookie flag at the same time.Working link to docs: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
Relevant excerpts:
and
I'm not yet sure (I'm tired) if it could be related to:
SameSite=Lax. My local cookie was created April 1st, 2021 though, so at least somewhat recent. And my browser version is LTS, so not the latest and greatest.For the record, in my browser both Pouet cookies (
pouetSettingsandPOUETSESS3) have these settingsHttpOnly=falseSecure=falseSameSite=NoneI run a site that sets a cookie with these settings and Firefox does not seem to complain about it. However, it is only valid to the end of the browser session, so that might make a difference.
Given that Pouet is served on HTTPS these days, it might be in order to set it with these settings (also something I do on a site, at least for authentication cookies):
HttpOnly=trueSecure=trueSameSite=Lax