A recently introduced change to the way the Firefox browser handles cookies is said to be breaking a number of websites, including the gov.uk platform, with web developers being urged to re-examine their web code.
Mozilla is changing the default value of the SameSite attribute in the Firefox browser from ‘none’ to ‘lax’, meaning the browser will withhold cookies on cross-site requests unless the user navigates to the URL from an external site.
According to reports on GitHub, services on the gov.uk platform are not usable following the SameSite changes, with users experiencing broken elements or pictures missing, for example, on affected sites.
Under the previous default settings of ‘none’, cookie data can be shared with third parties or external sites for advertising embedding content, or other cross-site sharing purposes. If any site hasn’t actually set a SameSite value, Firefox will treat it as ‘lax’ by default, instead of ‘none’, as it has done previously.
The change is designed to guard web users against cross-site request forgery (CSRF) attacks, in which a malicious site attempts to use valid cookies from a legitimate site in order to carry out an attack. This is not to be confused with cross-site scripting (XSS) attacks, in which the victim’s browser executes a script that’s been injected by an attacker while they visit a legitimate website.
Google also started a phased rollout of the SameSite attribute tweak in its Chrome browser earlier this year, however this was then stalled after the company received a number of similar reports of broken sites.
The issue largely comes down to developers not traditionally specifying their SameSite value during the construction of their sites. Treating these unset values as ‘lax’ by default means these sites will have to manually set their SameSite setting to ‘none’ if they wish to continue their previous arrangements, in addition to enabling HTTPS, in order to avoid breaking.
“Testing in the Firefox Nightly and Beta channels has shown that website breakage does occur,” said Mike Conca, group product manager for Firefox. “While we have reached out to those sites we’ve encountered and encouraged them to set the SameSite attribute on their web properties, the web is clearly too big to do this on a case-by-case basis.
“It is important that all web developers test their sites against this new default. This will prepare you for when both Firefox and Chrome browsers make the switch in their respective release channels.”
Mozilla rolled out the change to approximately half of its Firefox Beta user base with Firefox 79, distributed in June this year. The new SameSite behaviour was the default in the company’s Firefox Nightly pre-release browser since February 2020.
There is currently no timeline to ship the change to the Firefox release channel, as the developers are aiming to see Beta users experiencing a more smooth browsing experience, with the “unacceptable amount of site breakage” dwindling. Mozilla has established a Bugzilla hub to track broken functionality across the web, as this is difficult to determine using telemetry data alone, and relies on reports from users.
The company has also urged web developers to test their sites against this new default settings, as this will prepare them for when both Firefox and Chrome browsers make the switch in their respective release channels. Although Mozilla has approached individual sites to notify them, Conca added the scale of the issue means it’s impossible to resolve this alone on a case-by-case basis.
