Gov.uk site among those broken by Firefox cookie changes


Keumars Afifi-Sabet

6 Aug, 2020

A recently introduced change to the way the Firefox browser handles cookies is said to be breaking a number of websites, including the gov.uk platform, with web developers being urged to re-examine their web code.

Mozilla is changing the default value of the SameSite attribute in the Firefox browser from ‘none’ to ‘lax’, meaning the browser will withhold cookies on cross-site requests unless the user navigates to the URL from an external site.

According to reports on GitHub, services on the gov.uk platform are not usable following the SameSite changes, with users experiencing broken elements or pictures missing, for example, on affected sites.

Under the previous default settings of ‘none’, cookie data can be shared with third parties or external sites for advertising embedding content, or other cross-site sharing purposes. If any site hasn’t actually set a SameSite value, Firefox will treat it as ‘lax’ by default, instead of ‘none’, as it has done previously.

The change is designed to guard web users against cross-site request forgery (CSRF) attacks, in which a malicious site attempts to use valid cookies from a legitimate site in order to carry out an attack. This is not to be confused with cross-site scripting (XSS) attacks, in which the victim’s browser executes a script that’s been injected by an attacker while they visit a legitimate website.

The issue largely comes down to developers not traditionally specifying their SameSite value during the construction of their sites. Treating these unset values as ‘lax’ by default means these sites will have to manually set their SameSite setting to ‘none’ if they wish to continue their previous arrangements, in addition to enabling HTTPS, in order to avoid breaking.