{"id":41189,"date":"2020-08-06T11:04:24","date_gmt":"2020-08-06T11:04:24","guid":{"rendered":"http:\/\/icloud.pe\/blog\/?guid=075ea1a358c4423d655adcd5babf0ddf"},"modified":"2020-08-06T11:04:24","modified_gmt":"2020-08-06T11:04:24","slug":"gov-uk-site-among-those-broken-by-firefox-cookie-changes","status":"publish","type":"post","link":"https:\/\/icloud.pe\/blog\/gov-uk-site-among-those-broken-by-firefox-cookie-changes\/","title":{"rendered":"Gov.uk site among those broken by Firefox cookie changes"},"content":{"rendered":"


\n Keumars Afifi-Sabet<\/a><\/span>
\n <\/span><\/p>\n

\n
\n
6 Aug, 2020<\/span><\/div>\n<\/p><\/div>\n<\/div>\n

\n<\/a><\/p>\n

\n

A recently introduced change\u00a0to the way the\u00a0Firefox browser<\/a>\u00a0handles\u00a0cookies is said to be breaking a number of websites, including the gov.uk platform, with web developers being urged to re-examine their web code.<\/span><\/p>\n

Mozilla is changing the default value of the SameSite attribute in the Firefox browser from \u2018none\u2019 to \u2018lax\u2019,\u00a0meaning the browser will withhold cookies on cross-site requests unless the user navigates to the\u00a0URL<\/a>\u00a0from an external site.<\/span><\/p>\n

According to reports on GitHub,\u00a0<\/span>services on the gov.uk platform are not usable<\/a>\u00a0following the SameSite changes, with users experiencing broken elements or pictures missing, for example, on affected sites.<\/span><\/p>\n

\n

Under the previous default settings of \u2018none\u2019, cookie data can be shared with third parties or external sites for advertising embedding content, or other cross-site sharing purposes. If any site hasn\u2019t actually set a SameSite value,\u00a0Firefox will treat it as \u2018lax\u2019 by default, instead of \u2018none\u2019, as it has done previously<\/a>.<\/span><\/p>\n

The change is designed\u00a0to guard web users against cross-site request forgery (CSRF) attacks, in which a malicious site attempts to use valid cookies from a legitimate site in order to carry out an attack. This is not to be confused with\u00a0<\/span>cross-site scripting (XSS) attacks<\/a>, in which the victim\u2019s browser executes a script that\u2019s been injected by an attacker while they visit a legitimate website.<\/span><\/p>\n<\/div>\n

\n
\n
\n
\n
Google\u00a0also\u00a0started a phased rollout<\/a>\u00a0of the SameSite attribute tweak\u00a0in its Chrome browser earlier this year, however this\u00a0was then\u00a0stalled\u00a0after the company received a number of similar reports of broken sites.<\/div>\n
\n

The issue largely comes down to developers not traditionally specifying their\u00a0SameSite value during the construction of their sites. Treating these unset values as \u2018lax\u2019 by default means these sites will have to manually set their SameSite setting to \u2018none\u2019 if they wish to continue their previous arrangements,\u00a0in addition to enabling HTTPS<\/a>, in order to avoid breaking.<\/span><\/p>\n