RESOLVED FIXED267273
[Soup]: document.cookie= sameSite default value has changed to Lax 
https://bugs.webkit.org/show_bug.cgi?id=267273
Summary [Soup]: document.cookie= sameSite default value has changed to Lax
Max Schmitt
Reported 2024-01-09 08:26:00 PST
Reproduction: 1. Navigate to http://example.com/ 2. Evaluate in Inspector: document.cookie = 'username=John Doe'; 3. Open Storage -> Cookies in Inspector Expected: sameSite: None Actual: sameSite: Lax sameSite: None is what Chrome and WebKit on macOS does. So this seems like a regression/unexpected. This regression happens since https://gitlab.gnome.org/GNOME/libsoup/-/commit/efc5efba6db6478a5fcb8c938ef0dcd10b35b136 (v3.3.0). Related discussions: https://github.com/WebKit/WebKit/pull/21905#issuecomment-1883175087
Attachments
Add attachment proposed patch, testcase, etc.
Patrick Griffis
Comment 1 2024-01-22 13:13:51 PST
I'm slightly confused because all Google documentation suggests they are Lax by default: https://www.chromium.org/updates/same-site/?pli=1#20210318]- However in testing Chrome indeed is not Lax by default. Firefox is also not Lax by default but prints a warning: > Cookie “custom_cookie” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite So libsoup may have been premature in making this change.
Patrick Griffis
Comment 2 2024-01-22 15:18:41 PST
With some further testing it seems that Chrome in behavior treats them as Lax, but the inspector shows them as unset still. So AFAICT we match Chrome.
Max Schmitt
Comment 3 2024-06-05 13:43:54 PDT
Marking as resolved, since we adjusted test expectations.
Note You need to log in before you can comment on or make changes to this bug.