search

Azure / api-management-developer-portal

Developer portal provided by the Azure API Management service.
MIT License
479 stars 307 forks source link

SameSite Cookie Not Implemented #2264

Closed Harmanpreet-96 closed 11 months ago

Harmanpreet-96 commented 11 months ago

Bug description

Cookies are typically sent to third parties in cross origin requests. This can be abused to do CSRF attacks. Recently a new cookie attribute named SameSite was proposed to disable third-party usage for some cookies, to prevent CSRF attacks.

Same-site cookies allow servers to mitigate the risk of CSRF and information leakage attacks by asserting that a particular cookie should only be sent with requests initiated from the same registrable domain

Identified Cookie(s) returnUrl Cookie Source JavaScript

Reproduction steps

  1. Go to '...'
  2. Click on '....'
  3. Scroll down to '....'
  4. See error

Expected behavior

The server can set a same-site cookie by adding the SameSite=... attribute to the Set-Cookie header. There are three possible values for the SameSite attribute:

Lax: In this mode, the cookie will only be sent with a top-level get request. Set-Cookie: key=value; SameSite=Lax

Strict: In this mode, the cookie will not be sent with any cross-site usage even if the user follows a link to another website. Set-Cookie: key=value; SameSite=Strict

None: In this mode, the cookie will be sent with the cross-site requests. Cookies with SameSite=None must also specify the Secure attribute to transfer them via a secure context. Setting a SameSite=None cookie without the Secure attribute will be rejected by the browsers. Set-Cookie: key=value; SameSite=None; Secure

Is your portal managed or self-hosted?

Managed

Release tag or commit SHA (if using self-hosted version)

[e.g., release 2.0.0, commit c45da9778b70d369aba60fa2e63c191efe2b548f]

API Management service name

enterprise-apim-dev

Environment

Additional context

Add any other context about the problem here, including screenshots.

ghost commented 11 months ago

@Harmanpreet-96, thank you for opening this issue. We will triage it within the next few business days.

ygrik commented 11 months ago

The developer portal use returnUrl cookie to navigate the request after sign-in if sign-in required to load the page. This cookie does not contain sensitive info