[Flimm]

Firefox 59 is the first Firefox release to support SameSite cookie attribute, joining Chrome.

> Same-site cookies ("First-Party-Only" or "First-Party") allow servers to mitigate the risk of CSRF and information leakage attacks by asserting that a particular cookie should only be sent with requests initiated from the same registrable domain.

I like this one!

[lloeki]

How does this play out WRT "Block 3rd party cookies" (which wasn't on by default on Fx and Cr but was on Safari since an eternity?)

[kibwen]

It sounds like they serve totally different purposes, where one is a server-side tool to improve security, and the other is a client-side tool to improve privacy.

[bzbarsky]

Note that the definition of "Block 3rd party cookies" in Safari is different from the one in Firefox (not sure about Chrome). Firefox blocks a lot more stuff when that option is enabled in Firefox than Safari does when its option is enabled, which causes more web compat problems.

[driverdan]

Blocking 3rd party cookies causes very few problems. I've blocked them for many years and have seen fewer than 10 sites it caused problems with. For those you can whitelist the domain.

[saberworks]

My experience has been the opposite. It breaks every Amazon Pay integration and a lot of Paypal integrations as well. It also breaks online banking for the two credit unions I use, both of which seem to use some 3rd party service to run their backends. And then just whitelisting the domain isn't a great solution because then that means they can drop any 3rd party cookies, not just the desirable ones. So suddenly my online banking works, but now I've got google trackers and whatever other crap they want to drop. I believe I was able to whitelist just those cookies but that was quite a few versions ago and the interface is different now so I can't find where I did it. The cookie interface is really terribe; when you go to the site information it tells you whether the site is storing any cookies, and many times it says "No" but if you click the "view cookies" link it shows a ton of them. This happens when the domain doesn't match exactly (for example www.example.com vs example.com) so you can't really trust the Yes|No info box.

[forapurpose]

> whitelisting the domain isn't a great solution because then that means they can drop any 3rd party cookies, not just the desirable ones

Try something like uMatrix or similar add-ons. They allow you to configure rules similar to application firewalls:

  cookie * * DENY
  cookie * 1stparty ALLOW
  cookie creditunion.org finserv.com ALLOW

Great interface too, at least what I've seen on uMatrix: Most rules are configured with one click in a 'matrix' of hosts and applications.

[bzbarsky]

It really depends. I, too, have been blocking them for years, with few problems. But other people run into problems more often. It really depends on the sites one uses.