Closed Harmanpreet-96 closed 11 months ago
@Harmanpreet-96, thank you for opening this issue. We will triage it within the next few business days.
The developer portal use returnUrl cookie to navigate the request after sign-in if sign-in required to load the page. This cookie does not contain sensitive info
Bug description
Cookies are typically sent to third parties in cross origin requests. This can be abused to do CSRF attacks. Recently a new cookie attribute named SameSite was proposed to disable third-party usage for some cookies, to prevent CSRF attacks.
Same-site cookies allow servers to mitigate the risk of CSRF and information leakage attacks by asserting that a particular cookie should only be sent with requests initiated from the same registrable domain
Identified Cookie(s) returnUrl Cookie Source JavaScript
Reproduction steps
Expected behavior
The server can set a same-site cookie by adding the SameSite=... attribute to the Set-Cookie header. There are three possible values for the SameSite attribute:
Lax: In this mode, the cookie will only be sent with a top-level get request. Set-Cookie: key=value; SameSite=Lax
Strict: In this mode, the cookie will not be sent with any cross-site usage even if the user follows a link to another website. Set-Cookie: key=value; SameSite=Strict
None: In this mode, the cookie will be sent with the cross-site requests. Cookies with SameSite=None must also specify the Secure attribute to transfer them via a secure context. Setting a SameSite=None cookie without the Secure attribute will be rejected by the browsers. Set-Cookie: key=value; SameSite=None; Secure
Is your portal managed or self-hosted?
Managed
Release tag or commit SHA (if using self-hosted version)
[e.g., release
2.0.0
, commitc45da9778b70d369aba60fa2e63c191efe2b548f
]API Management service name
enterprise-apim-dev
Environment
Additional context
Add any other context about the problem here, including screenshots.