Join the Mozilla’s Test Days event from Dec 2–8 to test the new Firefox address bar on Firefox Beta 134 and get a chance to win Mozilla swag vouchers! 🎁

Avatar for Username

Prohledat stránky podpory

Vyhněte se podvodům. Za účelem poskytnutí podpory vás nikdy nežádáme, abyste zavolali nebo poslali SMS na nějaké telefonní číslo nebo abyste sdělili své osobní údaje. Jakékoliv podezřelé chování nám prosím nahlaste pomocí odkazu „Nahlásit zneužití“.

Zjistit více

Toto vlákno bylo archivováno. Pokud potřebujete pomoci, založte prosím nový dotaz.

Firefox claims SameSite is set to Lax, while set-cookie contains SameSite=None and Secure

Øyvind Wergeland
Øyvind Wergeland
more options

Our backend sets a cookie for maintaining login sessions with SameSite=None and Secure (to support loading our front-end from localhost for developers and from a third party domain for PR previews).

This is the respose header:

set-cookie: ESESSIONID=<redacted>; Secure; HttpOnly; Path=/; SameSite=None; Max-Age=86399

However, Firefox does not send the cookie back with requests, but logs this error in the console:

Cookie “ESESSIONID” has been rejected because it is in a cross-site context and its “SameSite” is “Lax” or “Strict”.

We have worked around the issue by configuring exceptions in the Security & Privacy settings, but I am curious to why Firefox rejects the cookie with this error message.

Our backend sets a cookie for maintaining login sessions with SameSite=None and Secure (to support loading our front-end from localhost for developers and from a third party domain for PR previews). This is the respose header: set-cookie: ESESSIONID=<redacted>; Secure; HttpOnly; Path=/; SameSite=None; Max-Age=86399 However, Firefox does not send the cookie back with requests, but logs this error in the console: Cookie “ESESSIONID” has been rejected because it is in a cross-site context and its “SameSite” is “Lax” or “Strict”. We have worked around the issue by configuring exceptions in the Security & Privacy settings, but I am curious to why Firefox rejects the cookie with this error message.

Všechny odpovědi (1)

Øyvind Wergeland
Øyvind Wergeland Autor dotazu
more options

I am not sure what you mean by "the site in question"? In production our back-end and front-end are served from two different subdomains of our domain, and here Firefox works with default settings.

The issue occurs when developers run the front-end from localhost (served by webpack-dev-server), and logs into our back-end. The ESSESSIONID cookie is set in the response to our callback endpoint for authorization code flow in our back-end.

It takes some effort to set up a public repro, and we are able to work around it, but I am curious to why Firefox logs an error that seems to contradict the set-cookie header.