apostrophe: CSRF cookies don't set SameSite Attribute. Will soon be rejected by browsers.
Install from Git, last week.
Developer tools console shows:
Cookie “multisite-ckkclehap000k3i4sxv7zp87b.csrf” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite
To Reproduce
Step by step instructions to reproduce the behavior:
- Turn on Developer Console in FF or Chrome, etc.
- Observe warnings.
Expected behavior
SameSite attribute set?
Describe the bug
The SameSite Attribute is missing.
Details
Version of Node.js:
12.20.1
Server Operating System:
Debian Buster
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 26 (9 by maintainers)
Defaulting to secure would be too, for A2. So probably we just need to document best practices here and possibly put something in apostrophe-boilerplate.
On Wed, Jan 27, 2021 at 10:48 AM Tom Boutell tom@apostrophecms.com wrote:
–
THOMAS BOUTELL | CHIEF TECHNOLOGY OFFICER APOSTROPHECMS | apostrophecms.com | he/him/his