Closed reteP-riS closed 1 year ago
Okay, thanks for pointing this out to me. After reading the information from the link you provided I think document.cookie = cname + "=" + cvalue + ";path=/;SameSite=None; Secure";
is the best option.
I am not an expert, but if I understand the documentation correctly then Samesite=none;Secure
will not set or read cookies on websites that use the insecure http (instead of https).
Maybe check how webtrees sets its session cookie.
I have been using document.cookie = cname + "=" + cvalue + ";path=/;SameSite=Strict";
on my own webtrees site with https for 3 weeks now without any issues. I just checked the session cookie that is created by webtrees. It does two things:
SameSite=Lax
Secure
attribute only if https is used.The respective code can be found in https://github.com/fisharebest/webtrees/blob/main/app/Session.php
After further reading I cannot think of any reason why the information stored in these cookies should be available to third parties. I believe both webtrees and FIB should use SameSite=Strict
and therefor changed https://github.com/fisharebest/webtrees/blob/a7b47bd09b3063a807f8285f7e79b65d5c46fa78/app/Session.php#L82 on my site accordingly.
I am not an expert, but if I understand the documentation correctly then Samesite=none;Secure will not set or read cookies on websites that use the insecure http (instead of https).
You're right. This isn't the best option.
After further reading I cannot think of any reason why the information stored in these cookies should be available to third parties. I believe both webtrees and FIB should use SameSite=Strict
SameSite=Lax means that the cookie is sent when a user navigates to the original site from an external site (for example, when following a link).
Therefore I decided to follow webtrees by using SameSite=Lax and Secure for https domains.
Firefox is throwing this warning about a missing "SameSite" attribute.
_The cookie "FIBWIDTH" does not have a valid value for the "SameSite" attribute. Soon, cookies without the "SameSite" attribute or with an invalid value for it will be treated as "Lax". This means that the cookie will no longer be sent to contexts that belong to a third-party vendor. If your application requires the cookie in these contexts, please add the "SameSite=None" attribute to it. For more information about the "SameSite" attribute, see https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite.
Maybe change https://github.com/JustCarmen/webtrees-fancy-imagebar/blob/2befb6d15159ba97e17c464fadcb3220a858bb21/resources/views/script.phtml#L13 to
document.cookie = cname + "=" + cvalue + ";path=/;SameSite=Strict";
ordocument.cookie = cname + "=" + cvalue + ";path=/;SameSite=Lax";