freeCodeCamp: Missing SameSite header in CDN

Describe the bug

All the modern browsers have started to enforce the SameSite header for security reasons. Previously, None used to be the default value, but recent browser versions made Lax the default value to have reasonably robust defense against some classes of cross-site request forgery (CSRF) attacks.

FCC doesn’t specify the SameSite header and the current browsers default to None but in the near future this will change. Browsers in the near future will default to Lax, so to ensure the expected behaviour, we need to add the SameSite header with the Secure header.

To Reproduce Steps to reproduce the behavior:

  1. Open any page or resurce that uses the CDN
  2. Open the console (in Chrome) and see the warning

Expected behavior

The expected behaviour is to see no warning and the CDN should work as normal.

Screenshots

Here’s a screenshot of the warning ->

Capture

Desktop (please complete the following information):

  • OS: Windows 10 (64 Bit)
  • Browser: Chrome
  • Version: 83.0.4103.61 (Official Build) (64-bit)

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 17 (16 by maintainers)

Most upvoted comments

Hi @Twaha-Rahman

Thanks a lot for the report.

Please note while we are scincerely grateful for the report and the PR. We highly recommend reporting security issues to our dedicated email for these. You would have been presented with this template when opening an issue:

image

This gives us a chance to brace ourselves quickly 😃

I have left review comments on the PR.

Is there a quick way of auditing the site to see if any other resources need this header specifying?

Yes, we would have public deploy-previews. It would not be matched to the domain though.

+1
raisedadead on Jun 6, 2020
Read more comments on GitHub
← freeCodeCamp: Missing code block in step 154 of new JS rpg project
freeCodeCamp: myVar++ not updating when code is changed →