Firefox logo

Mozilla engineers are planning to add a new security feature to Firefox with the addition of same-site cookie support in Firefox 60, scheduled for release next month, on May 9.

The same-site cookie feature is meant to block websites from loading cookies downloaded from other domains that do not match the URL present in the Firefox address bar. For example, with same-site cookie enabled on a website, Firefox won't load cookies from facebook.com if a user is currently visiting domain.com.

Same-site cookies will help defend against CSRF attacks

Firefox devs say the same-site cookie feature (also spelled SameSite) is intended to protect users against cross-site request forgery (CSRF) attacks.

CSRF takes place when attackers trick users into taking an action but forge another operation in the background. For example, a user might click on a malicious link, but the attacker uses the click to submit modified account settings on another site by hijacking local cookies.

This usually happens because browsers automatically attach cookies sent with every browser request for a specific domain. Attackers abuse this "cookie auto-appending" mechanism to make requests to other sites, effectively hijacking the user's other locally-stored cookies —while the user is on a totally different site— to perform malicious operations without the user's knowledge, on legitimate sites.

Because of the current design of web technologies, web apps and websites cannot reliably distinguish between actions initiated by an actual user and those carried out by automated scripts, such as the scripted actions of a CSRF attack.

By adding support for same-site cookies in Firefox, Mozilla engineers are giving website operators a new setting they can configure for their apps and portals and prevent attackers from hijacking cookies for nefarious actions.

Website owners must add support for the SameSite attribute

But this isn't a security feature that depends on users, or Mozilla, for that matter. The "SameSite" attribute must be set by website owners in their site's HTTP response headers, similarly to how they'd configure the standard Set-Cookie header field.

According to the IETF specification, two settings will be available for website operators —Strict and Lax.

When a website owner uses a "strict" setting for his website, Firefox will refuse to attach cookies for other HTTP requests if they are not for the same domain as the URL loaded in the address bar.

For the "lax" setting, Firefox will load cookies from other domains if the user has arrived on the site using a "safe" method, such as clicking and following a link. So for example, if the user is on Facebook and clicks a link for domain.com, then domain.com with a lax same-site cookie policy will load cookies from both domain.com and Facebook, but refuse to work with cookies for other domains.

More information on how website owners can take advantage of the SameSite cookies feature in the IETF RFC 6265 specification.

Chrome has been supporting same-site cookies since version 63, released in December 2017. Other browsers that support same-site cookies are Opera (since v51), Chrome for Android (since v64), and Samsung Internet (since v6.2).

Related Articles:

Mozilla Has Started Gradually Enabling TLS 1.3 in Firefox

Firefox 63 to Get Improved Tracking Protection That Blocks In-Browser Miners

Mozilla Adds 2FA Support for Firefox Accounts

Mozilla Makes It Easier to Hide Tabs in Firefox and Unclutter Your Tab Bar

Firefox 60 Released With Support for an Enterprise-Friendly Policy Engine