markstory
commented
4 years ago Perhaps we should change the default setting to Lax to help with the side note problem.
Closed BGehrels closed 4 years ago
markstory
commented
4 years ago Perhaps we should change the default setting to Lax to help with the side note problem.
dereuromark
commented
4 years ago Hah, GitHub cant get it done right either..^^
Refused to load the font '
' because it violates the following Content Security Policy directive: "font-src github.githubassets.com".
If you look into the chrome debug bar here..
But on a more serious note:
A future release of Chrome will only deliver cookies with cross-site requests if they are set with
SameSite=NoneandSecure.
is also issued by chrome - and doesn't that mean adapting this by default for us would also make sense?
markstory
commented
4 years ago We can't set the Secure flag on cookies as we can't ensure that the application is behind an SSL connection.
BGehrels
commented
4 years ago @dereuromark From what i understand from this site the message is a bit misleading, it sounds more like:
Cookies flagged with SameSite=None will be rejected, if the are not also flagged with Secure. I don't think this will affect the Behaviour of SameSite=Lax cookies.
Therefore i also think that the idea of @markstory to make Lax the default value is a good idea.
ADmad
commented
4 years ago Is the scenario described is "Side Note" common enough? Don't links to protected content in email generally have tokens in URL itself for authentication?
BGehrels
commented
4 years ago I would say so, especially since most webapps i use have a "Keep me signed in" feature - i rarely even recognize that i'm browsing protected content.
Especially in office settings, literally all content is protected and "Sharing" content by Link is quite common: "Could you have a look at this customer order $link? In Support Ticket $Link the customer says she didn't receive the package but our logistics app $link says it was delivered".
Talking about sharing: Take the typical share button on most websites: Share a private FB Event with your friends via whatsapp, share your bosses announcements with your co-Workers via Slack. Newspaper Paywalls are another example. The content is deep-linkable, but only parts are accessible without the login cookie.
Even if the content itself would be accessible, most of the personalization features of the target website would be disabled (The +1 button, for example) because the user is not recognized to be logged in. Many websites look very different when viewed by externals, even if the content is partly accessible. (LinkedIn, FB Profiles, ...)
ADmad
commented
4 years ago Okay, I am fine changing the default to Lax in that case.
BGehrels
commented
4 years ago It's really great how fast you act on user feedback, thanks a lot!
Issue Description When upgrading from CakePHP3 to CakePHP4, the integration with our external SSO solution broke, but there was no hint in the update/upgrade documentation why.
What do we do?
https://externalProvder/login/afterLogin?token=foourl on our cake app/In the last step, the session is not sent, because Cake 4 decided to go for SameSite=Strict by default in https://github.com/cakephp/cakephp/commit/7d37bfd75eac2ae175e619bbaee7c559ef829f67#diff-0f7ea695bfce9d833eb7dbf3fc999244 This leads to an endless redirect loop between app and auth provider.
While the change might be good, there is no documentation about it at all.
Proposal:
Side Note This does not only affect external SSO solutions but also the basic deep-linkability of apps.
The RFC draft on SameSite describes this quite well:
For this reason, i guess the decision to set Session Cookies to SameSite=Strict might bring quite a lot of confusion to Cake Developers if it's not very clearly documented - including it's side effects and configuration options.
Do you want to address this issue? If you can point me to a good place to add the information from No. 2, i'm happy to open a PR for this. Also addressing the side note would sadly exceed my current capacity.