Bug 1604212 - Enable sameSite=lax by default, r=Ehsan,ahal

Differential Revision: https://phabricator.services.mozilla.com/D63081

--HG--
extra : moz-landing-system : lando

modules/libpref/init/StaticPrefList.yaml

@@ -7020,18 +7020,18 @@
 
 - name: network.cookie.sameSite.laxByDefault
   type: bool
-  value: false
+  value: @IS_NIGHTLY_BUILD@
   mirror: always
 
 # lax-by-default 2 minutes tollerance for unsafe methods. The value is in seconds.
 - name: network.cookie.sameSite.laxPlusPOST.timeout
   type: uint32_t
-  value: 0
+  value: 120
   mirror: always
 
 - name: network.cookie.sameSite.noneRequiresSecure
   type: bool
-  value: false
+  value: @IS_NIGHTLY_BUILD@
   mirror: always
 
 - name: network.cookie.thirdparty.sessionOnly

netwerk/test/TestCookie.cpp

@@ -186,6 +186,11 @@ void InitPrefs(nsIPrefBranch* aPrefBranch) {
   aPrefBranch->SetIntPref(kPrefCookieQuotaPerHost, 49);
   // Set the base domain limit to 50 so we have a known value.
   aPrefBranch->SetIntPref(kCookiesMaxPerHost, 50);
+
+  // SameSite=none by default. We have other tests for lax-by-default.
+  // XXX: Bug 1617611 - Fix all the tests broken by "cookies sameSite=lax by
+  // default"
+  Preferences::SetBool("network.cookie.sameSite.laxByDefault", false);
 }
 
 TEST(TestCookie, TestCookieMain)

testing/profiles/geckoview-junit/user.js

@@ -0,0 +1,6 @@
+// Base preferences file used by the mochitest
+/* globals user_pref */
+/* eslint quotes: 0 */
+
+// XXX: Bug 1617611 - Fix all the tests broken by "cookies sameSite=lax by default"
+user_pref("network.cookie.sameSite.laxByDefault", false);

testing/profiles/mochitest/user.js

@@ -0,0 +1,6 @@
+// Base preferences file used by the mochitest
+/* globals user_pref */
+/* eslint quotes: 0 */
+
+// XXX: Bug 1617611 - Fix all the tests broken by "cookies sameSite=lax by default"
+user_pref("network.cookie.sameSite.laxByDefault", false);

testing/profiles/moz.build

@@ -7,6 +7,8 @@
 profile_files = [
     'base/*',
     'common/*',
+    'geckoview-junit/*',
+    'mochitest/*',
     'perf/*',
     'profiles.json',
     'profileserver/*',

testing/profiles/profiles.json

@@ -1,6 +1,6 @@
 {
-    "geckoview-junit": ["base", "common", "unittest-required", "unittest-features"],
-    "mochitest": ["base", "common", "unittest-required", "unittest-features"],
+    "geckoview-junit": ["base", "common", "unittest-required", "unittest-features", "geckoview-junit"],
+    "mochitest": ["base", "common", "unittest-required", "unittest-features", "mochitest"],
     "profileserver": ["base", "common", "unittest-required", "unittest-features", "profileserver"],
     "raptor": ["base", "common", "perf", "raptor"],
     "reftest": ["base", "common", "reftest"],

testing/profiles/xpcshell/user.js

@@ -28,3 +28,5 @@ user_pref("idle.lastDailyNotification", -1);
 // Enable telemetry event ping during tests, even for geckoview, where it
 // is normally disabled.
 user_pref("toolkit.telemetry.eventping.enabled", true);
+// XXX: Bug 1617611 - Fix all the tests broken by "cookies sameSite=lax by default"
+user_pref("network.cookie.sameSite.laxByDefault", false);

testing/web-platform/meta/cookies/samesite/__dir__.ini

@@ -1 +1,2 @@
 leak-threshold: [default:51200]
+prefs: [network.cookie.sameSite.laxPlusPOST.timeout: 0]

testing/web-platform/meta/cookies/samesite/fetch.https.html.ini

@@ -1,4 +1,5 @@
 [fetch.https.html?legacy-samesite]
+  prefs: [network.cookie.sameSite.laxByDefault:false, network.cookie.sameSite.noneRequiresSecure:false]
   [Cross-site redirecting to same-host fetches are strictly same-site]
     expected: FAIL
 
@@ -7,7 +8,6 @@
 
 
 [fetch.https.html]
-  prefs: [network.cookie.sameSite.laxByDefault:true, network.cookie.sameSite.noneRequiresSecure:true]
   [Cross-site redirecting to same-host fetches are strictly same-site]
     expected: FAIL
 

testing/web-platform/meta/cookies/samesite/form-get-blank.https.html.ini

@@ -1,5 +1,4 @@
 [form-get-blank.https.html]
-  prefs: [network.cookie.sameSite.laxByDefault:true, network.cookie.sameSite.noneRequiresSecure:true]
   [Cross-site redirecting to subdomain top-level form GETs are strictly same-site]
     expected: FAIL
 
@@ -8,6 +7,7 @@
 
 
 [form-get-blank.https.html?legacy-samesite]
+  prefs: [network.cookie.sameSite.laxByDefault:false, network.cookie.sameSite.noneRequiresSecure:false]
   [Cross-site redirecting to subdomain top-level form GETs are strictly same-site]
     expected: FAIL
 

testing/web-platform/meta/cookies/samesite/form-post-blank-reload.https.html.ini

@@ -1,5 +1,4 @@
 [form-post-blank-reload.https.html]
-  prefs: [network.cookie.sameSite.laxByDefault:true, network.cookie.sameSite.noneRequiresSecure:true]
   expected:
     if os == "android": TIMEOUT
     ERROR
@@ -14,6 +13,7 @@
 
 
 [form-post-blank-reload.https.html?legacy-samesite]
+  prefs: [network.cookie.sameSite.laxByDefault:false, network.cookie.sameSite.noneRequiresSecure:false]
   expected:
     if os == "android": TIMEOUT
     ERROR

testing/web-platform/meta/cookies/samesite/form-post-blank.https.html.ini

@@ -1,5 +1,4 @@
 [form-post-blank.https.html]
-  prefs: [network.cookie.sameSite.laxByDefault:true, network.cookie.sameSite.noneRequiresSecure:true]
   [Cross-site redirecting to same-host top-level form POSTs are strictly same-site]
     expected: FAIL
 
@@ -8,6 +7,7 @@
 
 
 [form-post-blank.https.html?legacy-samesite]
+  prefs: [network.cookie.sameSite.laxByDefault:false, network.cookie.sameSite.noneRequiresSecure:false]
   [Cross-site redirecting to same-host top-level form POSTs are strictly same-site]
     expected: FAIL
 

testing/web-platform/meta/cookies/samesite/iframe-reload.https.html.ini

@@ -1,4 +1,5 @@
 [iframe-reload.https.html?legacy-samesite]
+  prefs: [network.cookie.sameSite.laxByDefault:false, network.cookie.sameSite.noneRequiresSecure:false]
   expected:
     if processor == "aarch64": ["OK", "CRASH"]
   [Reloaded cross-site fetches are cross-site]
@@ -7,7 +8,6 @@
 
 
 [iframe-reload.https.html]
-  prefs: [network.cookie.sameSite.laxByDefault:true, network.cookie.sameSite.noneRequiresSecure:true]
   [Reloaded cross-site fetches are cross-site]
     expected:
       if fission: FAIL

testing/web-platform/meta/cookies/samesite/iframe.https.html.ini

@@ -1,5 +1,4 @@
 [iframe.https.html]
-  prefs: [network.cookie.sameSite.laxByDefault:true, network.cookie.sameSite.noneRequiresSecure:true]
   expected:
     if processor == "aarch64": ["OK", "CRASH"]
   [Cross-site redirecting to same-host fetches are strictly same-site]
@@ -10,6 +9,7 @@
 
 
 [iframe.https.html?legacy-samesite]
+  prefs: [network.cookie.sameSite.laxByDefault:false, network.cookie.sameSite.noneRequiresSecure:false]
   expected:
     if processor == "aarch64": ["OK", "CRASH"]
   [Cross-site redirecting to same-host fetches are strictly same-site]

testing/web-platform/meta/cookies/samesite/img.https.html.ini

@@ -1,5 +1,4 @@
 [img.https.html]
-  prefs: [network.cookie.sameSite.laxByDefault:true, network.cookie.sameSite.noneRequiresSecure:true]
   [Cross-site redirecting to same-host images are strictly same-site]
     expected: FAIL
 
@@ -8,6 +7,7 @@
 
 
 [img.https.html?legacy-samesite]
+  prefs: [network.cookie.sameSite.laxByDefault:false, network.cookie.sameSite.noneRequiresSecure:false]
   [Cross-site redirecting to same-host images are strictly same-site]
     expected: FAIL
 

testing/web-platform/meta/cookies/samesite/setcookie-lax.https.html.ini

@@ -1,4 +1,4 @@
 [setcookie-lax.https.html]
-  prefs: [network.cookie.sameSite.laxByDefault:true, network.cookie.sameSite.noneRequiresSecure:true]
 
 [setcookie-lax.https.html?legacy-samesite]
+  prefs: [network.cookie.sameSite.laxByDefault:false, network.cookie.sameSite.noneRequiresSecure:false]

testing/web-platform/meta/websockets/cookies/third-party-cookie-accepted.https.html.ini

@@ -1,4 +1 @@
-[third-party-cookie-accepted.https.html]
-  [Test that third-party cookies are accepted for WebSockets.]
-    expected: FAIL
-
+prefs: [network.cookie.sameSite.laxByDefault:true, network.cookie.sameSite.noneRequiresSecure:true]