rails: Cookie “_rails6_session” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute.
Firefox 76 console warning: _Cookie “rails6_session” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. To know more about the “sameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Cookies new.
Chrome 83 console warning: (Added 29 May)
“A cookie associated with a cross-site resource at <URL> was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at <URL> and <URL>.”
Steps to reproduce
This error shows in the web console in Firefox (76.0) and Firefox Dev Edition (76.0b8). Does not show in Firefox (75.0) or Chrome (81.0.4044.129).
Seems to be occurring due to a change in Firefox 76.
Expected behavior
Warning seems to be referencing a Rails 6 internal.
Actual behavior
Address warning so it does not show in Firefox 76.
System configuration
Warning shows with ruby 2.6.5 and rails 6.0.2. I upgraded to latest ruby 2.7.1 and rails 6.0.3 and error still occurs.
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Reactions: 9
- Comments: 17 (6 by maintainers)
While Mozilla may have bad timing, they’re not alone in wanting to make this change, and they’re not wrong.
The article also clearly states that the pause in rollout I a temporary one related to covid19.
The sameSite change is coming (just like winter).
If you generate a new application, yes. If you are updating an existing application you still need to change the
cookies_same_site_protectionconfiguration, or use the Rails 6.1 default configurations.See https://github.com/rails/rails/blob/38998af1d9035d529e553251ae441f0c09b7e8ab/railties/lib/rails/generators/rails/app/templates/config/initializers/new_framework_defaults_6_1.rb.tt#L22-L26
Thanks for the update. I use Firefox Dev Edition for development and it was showing as a warning and I couldn’t find any reference to it elsewhere especially as it was referring to rails6_session. Yes seems its come through to latest Firefox.
That might be the case that it’s delayed, but sounds like it should still be addressed within rails, especially knowing that the changes, while delayed are still coming.
Currently, in Rails <6.1 I believe the default is to set no
SameSitevalue. The warning arises from a specific set of browser versions which would default this toSameSite=Noneand warn about a potential deprecation in combining that withoutSecure, but in the future when actual enforcement against settingNonewithoutSecurewill happen will default toLaxinstead.If we assume
SameSite=Laxdefaults in the browser (what Chrome and Firefox are now planning), what does closing this issue look like on the Rails side? Explicitly settingSameSite(withLaxdefaults) on the Rails side is already slated for 6.1 (there’s some extensive discussion here).I am seeing this also on the latest release of Firefox 76.0 (64-bit) Mozilla Firefox for Linux Mint - 1.0 This is not a development build
The commits which fix this are included in Rails v6.1.0.rc1. You can enable them by specifying the RC in your
Gemfile:Then run
bundle, thenrails app:update. Afterwards, setRails.application.config.action_dispatch.cookies_same_site_protection = :laxappropriately in your config, and you shouldn’t get any browser warnings.Awesome! AFAIK it was slated from this thread. See post 8 May. Thanks for the link to the other discussion.
I expect this thread will stay open until 6.1 is delivered or other issues arise with this.
Take a look at this recent post from Mozilla.