IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more site among those broken by Firefox cookie changes

Developers urged to review their code before Mozilla changes SameSite cookie settings to ‘lax’ by default

error symbol on a computer monitor

A recently introduced change to the way the Firefox browser handles cookies is said to be breaking a number of websites, including the platform, with web developers being urged to re-examine their web code.

Mozilla is changing the default value of the SameSite attribute in the Firefox browser from ‘none’ to ‘lax’, meaning the browser will withhold cookies on cross-site requests unless the user navigates to the URL from an external site.

According to reports on GitHub, services on the platform are not usable following the SameSite changes, with users experiencing broken elements or pictures missing, for example, on affected sites.

Under the previous default settings of ‘none’, cookie data can be shared with third parties or external sites for advertising embedding content, or other cross-site sharing purposes. If any site hasn’t actually set a SameSite value, Firefox will treat it as ‘lax’ by default, instead of ‘none’, as it has done previously.

The change is designed to guard web users against cross-site request forgery (CSRF) attacks, in which a malicious site attempts to use valid cookies from a legitimate site in order to carry out an attack. This is not to be confused with cross-site scripting (XSS) attacks, in which the victim’s browser executes a script that’s been injected by an attacker while they visit a legitimate website.

Google also started a phased rollout of the SameSite attribute tweak in its Chrome browser earlier this year, however this was then stalled after the company received a number of similar reports of broken sites.

The issue largely comes down to developers not traditionally specifying their SameSite value during the construction of their sites. Treating these unset values as ‘lax’ by default means these sites will have to manually set their SameSite setting to ‘none’ if they wish to continue their previous arrangements, in addition to enabling HTTPS, in order to avoid breaking.

“Testing in the Firefox Nightly and Beta channels has shown that website breakage does occur,” said Mike Conca, group product manager for Firefox. “While we have reached out to those sites we’ve encountered and encouraged them to set the SameSite attribute on their web properties, the web is clearly too big to do this on a case-by-case basis.

“It is important that all web developers test their sites against this new default. This will prepare you for when both Firefox and Chrome browsers make the switch in their respective release channels.”

Mozilla rolled out the change to approximately half of its Firefox Beta user base with Firefox 79, distributed in June this year. The new SameSite behaviour was the default in the company’s Firefox Nightly pre-release browser since February 2020.

There is currently no timeline to ship the change to the Firefox release channel, as the developers are aiming to see Beta users experiencing a more smooth browsing experience, with the “unacceptable amount of site breakage” dwindling. Mozilla has established a Bugzilla hub to track broken functionality across the web, as this is difficult to determine using telemetry data alone, and relies on reports from users.

The company has also urged web developers to test their sites against this new default settings, as this will prepare them for when both Firefox and Chrome browsers make the switch in their respective release channels. Although Mozilla has approached individual sites to notify them, Conca added the scale of the issue means it’s impossible to resolve this alone on a case-by-case basis.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Most Popular

Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
16 ways to speed up your laptop

16 ways to speed up your laptop

13 May 2022
How full-stack observability can accelerate IT innovation

How full-stack observability can accelerate IT innovation

3 May 2022