JustCarmen / webtrees-fancy-imagebar

Fancy Imagebar module for webtrees
http://justcarmen.nl
GNU General Public License v3.0
12 stars 6 forks source link

The cookie "FIB_WIDTH" does not have a valid value for the "SameSite" attribute. #124

Closed reteP-riS closed 1 year ago

reteP-riS commented 1 year ago

Firefox is throwing this warning about a missing "SameSite" attribute.

_The cookie "FIBWIDTH" does not have a valid value for the "SameSite" attribute. Soon, cookies without the "SameSite" attribute or with an invalid value for it will be treated as "Lax". This means that the cookie will no longer be sent to contexts that belong to a third-party vendor. If your application requires the cookie in these contexts, please add the "SameSite=None" attribute to it. For more information about the "SameSite" attribute, see https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite.

Maybe change https://github.com/JustCarmen/webtrees-fancy-imagebar/blob/2befb6d15159ba97e17c464fadcb3220a858bb21/resources/views/script.phtml#L13 to document.cookie = cname + "=" + cvalue + ";path=/;SameSite=Strict"; or document.cookie = cname + "=" + cvalue + ";path=/;SameSite=Lax";

JustCarmen commented 1 year ago

Okay, thanks for pointing this out to me. After reading the information from the link you provided I think document.cookie = cname + "=" + cvalue + ";path=/;SameSite=None; Secure"; is the best option.

reteP-riS commented 1 year ago

I am not an expert, but if I understand the documentation correctly then Samesite=none;Secure will not set or read cookies on websites that use the insecure http (instead of https). Maybe check how webtrees sets its session cookie.

reteP-riS commented 1 year ago

I have been using document.cookie = cname + "=" + cvalue + ";path=/;SameSite=Strict"; on my own webtrees site with https for 3 weeks now without any issues. I just checked the session cookie that is created by webtrees. It does two things:

  1. It uses SameSite=Lax
  2. It uses the Secure attribute only if https is used.

The respective code can be found in https://github.com/fisharebest/webtrees/blob/main/app/Session.php

After further reading I cannot think of any reason why the information stored in these cookies should be available to third parties. I believe both webtrees and FIB should use SameSite=Strict and therefor changed https://github.com/fisharebest/webtrees/blob/a7b47bd09b3063a807f8285f7e79b65d5c46fa78/app/Session.php#L82 on my site accordingly.

JustCarmen commented 1 year ago

I am not an expert, but if I understand the documentation correctly then Samesite=none;Secure will not set or read cookies on websites that use the insecure http (instead of https).

You're right. This isn't the best option.

After further reading I cannot think of any reason why the information stored in these cookies should be available to third parties. I believe both webtrees and FIB should use SameSite=Strict

SameSite=Lax means that the cookie is sent when a user navigates to the original site from an external site (for example, when following a link).

Therefore I decided to follow webtrees by using SameSite=Lax and Secure for https domains.