Jetpack: FF beta 76.0b3 is unhappy with 'wpc_wpc' and 'wordpress_eli' cookies
Steps to reproduce the issue
I did not yet published the site, so I am unfortunately unable to quite point to a public WP site that would reproduce the console warnings.
I have a freshly upgraded WP 5.4 managed at bluehost, which comes with Jetpack preinstalled.
When I open a post with a comment form in it in normal view mode (not in the editor), two warnings are logged in the Firefox console:
Cookie “wpc_wpc” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. To learn more about the “sameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Cookies jetpack-comment
Cookie “wordpress_eli” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. To learn more about the “sameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Cookies
Both messages are referring to the URL https://jetpack.wordpress.com/jetpack-comment/?blogid=[REDACTED]&postid=486&comment_registration=0&require_name_email=1&stc_enabled=1&stb_enabled=1&show_avatars=1&avatar_default=identicon&greeting=Leave+a+Reply&greeting_reply=Leave+a+Reply+to+%25s&color_scheme=light&lang=en_US&jetpack_version=8.4.1&hc_post_as=jetpack&hc_userid=2&hc_username=[REDACTED]&hc_userurl=&hc_useremail=aaf5827d09d4eb31df2e3e25d1de9bd8&_wp_unfiltered_html_comment=a60709a1e3&token_key=%3Bnormal%3B&sig=8f95d5bc7d9ed1420caef685771085069c8fa877#parent=https%3A%2F%2F[REDACTED]%2F486
The wpc_wpc cookie is shown in the FF dev tools Storage tab with the following attributes:
Created:"Fri, 10 Apr 2020 08:23:02 GMT"Domain:".wordpress.com"
Expires / Max-Age:"Session"
HostOnly:false
HttpOnly:false
Last Accessed:"Sat, 11 Apr 2020 04:02:58 GMT"
Path:"/"
SameSite:"None"
Secure:false
Size:419
So yes, indeed, SameSite is set to "None" and Secure to false, exactly as the warning says. I am not qualified to assess the degree of functional degradation expected when FF finally follows through the promise to block these cookies.
Hope I provided enough information, and I'll be happy to follow up.
What I expected
No warning that something is about to break soon.
What happened instead
As above. I had to redact some information, I do not really understand the amount of PII in this URL. I'd be happy to provide the full URL via a private channel, if the redacted part are important to diagnose the issue.
Browser: Firefox 76.0b3 (beta channel), 64-bit, Windows 10.
kkm000
All 4 comments
More info: I opened the page in a private browse mode and posted a test comment from an imaginary user, without using the registration icons, just by filling the email and name in the form, and not even checking the box "Remember the The errors were logged the moment I clicked on the "Submit." The behavior was slightly different: a different set of cookies:
Cookie “jetpack_comments_subscribe_44f261570b0d4de8519e2356a0f2f1f8_220” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. To learn more about the “sameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Cookies
Cookie “jetpack_blog_subscribe_44f261570b0d4de8519e2356a0f2f1f8” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. To learn more about the “sameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Cookies
Cookie “comment_author_44f261570b0d4de8519e2356a0f2f1f8” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. To learn more about the “sameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Cookies
Cookie “comment_author_email_44f261570b0d4de8519e2356a0f2f1f8” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. To learn more about the “sameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Cookies
Cookie “comment_author_url_44f261570b0d4de8519e2356a0f2f1f8” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. To learn more about the “sameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Cookies
And the source URL shown in console was https://100d.space/wp-comments-post.php?for=jetpack, different from that long URL I posted in the original message.
The error as reported reproduces exactly when I load the same page in the browser logged on to wordpress.com and google accounts. Also, the warnings are printed immediately when I load the page, and every time I hard-refresh (S-C-r) it, not even trying to comment.
Hope this tidbit is helpful. The site is live now; I created the page https://100d.space/jetpack-15414 hidden from the pages widget, otherwise public, in case you need to repro. The site is hosted by BlueHost, if this matters.
kkm000
on 19 Apr 2020
Thanks for the extra details! We'll comment here as soon as we make progress on this.
jeherve
on 20 Apr 2020
Sure thing, thanks!
It seems that FF tightening up on security and privacy. I run a nightly build on another computer, even more interesting stuff pops up (not with Jetpack tho; I'd let you know if it did).
kkm000
on 20 Apr 2020
Also reported in 3612756-zen
jeherve
on 14 Jan 2021
Related issues
ockham
·
3Comments
NicktheGeek
·
3Comments
kevinlisota
·
3Comments
jeherve
·
3Comments
BinaryMoon
·
3Comments