U - [HTTP] Docs requirements for SameSite=Lax by default

[chrisdavidmills]

User story

As a web developer, I want to reads docs about the new default SameSite setting, so I can find out how this affects my work.

This contributes to MDN's completeness, and the KR "Increase traffic 5% y/y". MDN users need this information to be able to do their jobs effectively going forward.

Background

Same site cookies were shipped a few versions ago. Browser are now agreeing on a proposed change to treat all new cookies as SameSite=lax by default

This is interesting for 2 reasons:

1. We need to do this to avoid compat issues if other browsers all do it
2. It is an opportunity to work with other vendors to eliminate entire class of security vulnerabilities (CSFR)

We are trying to line up changes to coincide with other browser vendors, and this includes documentation. Chrome are aiming for about Chrome 78, available behind pref since 76. We are not yet 100% sure what Firefox version it will be enabled in, but it'll probably be Fx 71, or maybe even 70.

Docs updates needed on

• https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies (SameSite section)
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie (mention update to default behavior)

New page needed

• SameSite cookies page; will explain the change in detail, explain the errors you'll see in the console, and give developers advice about what they should do going forward. This will satisfy the need talked about at https://bugzilla.mozilla.org/show_bug.cgi?id=1620334.

We may also do with a hacks post to explain the story (how we fixed CSRF forever! google drove it, we thought of it) and what difference this wil make for web devs. This would also coincide with a more technical write up on the Moz sec blog. If these happen, the engineers will write them and we can help edit them.

Mark Goodwin was the engineering contact for this, now it's being implemented by Andrea Marchesini (baku). Ask him for help if needed.

Acceptance criteria

1. • Prototype SameSite=Lax by default (see also the intent to implement) (Fx 69, behind a pref at this point)
2. • Enable sameSite=lax by default on Nightly
3. • Implement sameSite lax-by-default 2 minutes tolerance for unsafe methods
4. • Need MDN landing page that SameSite console warnings can reference
5. • MDN docs written as described above.
6. • hacks and sec blog content reviewed/edited (not sure if this is still needed, will ask)

Enable sameSite=lax by default tracks the release of these changes in final release Fx. Bear in mind that we want to get this done by Fx 76 beta, so we will need to delay communicating that this is enabled in release till a later sprint).

[chrisdavidmills]

I'm clearing the milestone and attachment to Fx71 for now; I was told this would be a big thing to do probably around Fx71, but then heard nothing else about it.

[chrisdavidmills]

More information from chatting to Mike Conca:

• Platform team wants this by the time Fx 76 goes to beta, which will be April 7th, so it needs to go into the Charlie-Delta sprint.
• On the new page talked about in the description, we need information along the lines of https://web.dev/samesite-cookies-explained/#changes-to-the-default-behavior-without-samesite