Cookies aren't set with SameSite: Strict

Mohamed-512 / Extra-Streamlit-Components

An all in one place, to find complex or just not available components by default on streamlit.

Apache License 2.0

466 stars 59 forks source link

Cookies aren't set with SameSite: Strict #32

Closed blipk closed 1 year ago

blipk commented 1 year ago

They are also not "Secure": Screenshot from 2022-10-01 13-02-50

Using this code:

self.cookie_manager = stx.CookieManager()
cookie_expiry_time = datetime.now(tz=pytz.timezone(self.user_tz)) + timedelta(seconds=self.cookie_expiry_seconds)
self.cookie_manager.set("login_cookie", self.token, expires_at=cookie_expiry_time)

Same with locally hosted or on streamlit cloud.

blipk commented 1 year ago

The issue was in the setCookie function in CookieManager.jsx.

samesite: "strict", should be sameSite: "strict",

Looks like this isn't maintained, so I'm not going to bother with a PR for just that change, have fixed it myself with a fork, and so can anyone else if they read this.

kevinlinxc commented 1 year ago

@blipk if I implement this change, does the security note in the readme no longer apply?

Security Note: In shared domains such as share.streamlit.io, other web developers can have access to the cookies you set and the same goes for you. This is not to be treaded as security bug but a circumstance the developer need to be aware of.

Mohamed-512 commented 1 year ago

Thanks @blipk for identifying a fix. It would have been great making a PR for it, and I will make sure to approve it and make a new version of the package including it.