Closed BGehrels closed 4 years ago
Perhaps we should change the default setting to Lax to help with the side note problem.
Hah, GitHub cant get it done right either..^^
Refused to load the font '
' because it violates the following Content Security Policy directive: "font-src github.githubassets.com".
If you look into the chrome debug bar here..
But on a more serious note:
A future release of Chrome will only deliver cookies with cross-site requests if they are set with
SameSite=None
andSecure
.
is also issued by chrome - and doesn't that mean adapting this by default for us would also make sense?
We can't set the Secure
flag on cookies as we can't ensure that the application is behind an SSL connection.
@dereuromark From what i understand from this site the message is a bit misleading, it sounds more like:
Cookies flagged with SameSite=None
will be rejected, if the are not also flagged with Secure
. I don't think this will affect the Behaviour of SameSite=Lax
cookies.
Therefore i also think that the idea of @markstory to make Lax
the default value is a good idea.
Is the scenario described is "Side Note" common enough? Don't links to protected content in email generally have tokens in URL itself for authentication?
I would say so, especially since most webapps i use have a "Keep me signed in" feature - i rarely even recognize that i'm browsing protected content.
Especially in office settings, literally all content is protected and "Sharing" content by Link is quite common: "Could you have a look at this customer order $link? In Support Ticket $Link the customer says she didn't receive the package but our logistics app $link says it was delivered".
Talking about sharing: Take the typical share button on most websites: Share a private FB Event with your friends via whatsapp, share your bosses announcements with your co-Workers via Slack. Newspaper Paywalls are another example. The content is deep-linkable, but only parts are accessible without the login cookie.
Even if the content itself would be accessible, most of the personalization features of the target website would be disabled (The +1 button, for example) because the user is not recognized to be logged in. Many websites look very different when viewed by externals, even if the content is partly accessible. (LinkedIn, FB Profiles, ...)
Okay, I am fine changing the default to Lax
in that case.
It's really great how fast you act on user feedback, thanks a lot!
Issue Description When upgrading from CakePHP3 to CakePHP4, the integration with our external SSO solution broke, but there was no hint in the update/upgrade documentation why.
What do we do?
https://externalProvder/login
/afterLogin?token=foo
url on our cake app/
In the last step, the session is not sent, because Cake 4 decided to go for SameSite=Strict by default in https://github.com/cakephp/cakephp/commit/7d37bfd75eac2ae175e619bbaee7c559ef829f67#diff-0f7ea695bfce9d833eb7dbf3fc999244 This leads to an endless redirect loop between app and auth provider.
While the change might be good, there is no documentation about it at all.
Proposal:
Side Note This does not only affect external SSO solutions but also the basic deep-linkability of apps.
The RFC draft on SameSite describes this quite well:
For this reason, i guess the decision to set Session Cookies to SameSite=Strict might bring quite a lot of confusion to Cake Developers if it's not very clearly documented - including it's side effects and configuration options.
Do you want to address this issue? If you can point me to a good place to add the information from No. 2, i'm happy to open a PR for this. Also addressing the side note would sadly exceed my current capacity.