apostrophe: CSRF cookies don't set SameSite Attribute. Will soon be rejected by browsers.

Install from Git, last week.

Developer tools console shows:

Cookie “multisite-ckkclehap000k3i4sxv7zp87b.csrf” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

To Reproduce

Step by step instructions to reproduce the behavior:

  1. Turn on Developer Console in FF or Chrome, etc.
  2. Observe warnings.

Expected behavior

SameSite attribute set?

Describe the bug

The SameSite Attribute is missing.

Details

Version of Node.js:

12.20.1

Server Operating System:

Debian Buster

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 26 (9 by maintainers)

Most upvoted comments

Defaulting to secure would be too, for A2. So probably we just need to document best practices here and possibly put something in apostrophe-boilerplate.

On Wed, Jan 27, 2021 at 10:48 AM Tom Boutell tom@apostrophecms.com wrote:

Defaulting to strict would be a bc break, though perhaps not for much longer.

On Wed, Jan 27, 2021 at 10:48 AM Tom Boutell tom@apostrophecms.com wrote:

Interesting. That might be the case as long as it can be verified across browsers.

On Wed, Jan 27, 2021 at 9:36 AM Mark Washeim notifications@github.com wrote:

Wouldn’t it be easier still to set sameSite to strict? On the other hand mozzila says:

Secure Optional Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistent to man-in-the-middle attacks.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie

Perhaps secure is not a problem for localhost at all?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/apostrophecms/apostrophe/issues/2702#issuecomment-768327574, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAH27JNUVJWNXSJMMMOYS3S4AQGJANCNFSM4WVISAYA .

THOMAS BOUTELL | CHIEF TECHNOLOGY OFFICER APOSTROPHECMS | apostrophecms.com | he/him/his

THOMAS BOUTELL | CHIEF TECHNOLOGY OFFICER APOSTROPHECMS | apostrophecms.com | he/him/his

THOMAS BOUTELL | CHIEF TECHNOLOGY OFFICER APOSTROPHECMS | apostrophecms.com | he/him/his