Cookies: Use "SameSite: Lax" policy?

[tiblu]

What is the user story?

As a User I would like maximum protection against possible CSRF. While CORS is implemented, SameSite policy provides extra layer of security by avoiding cookies be sent from cross-site context.

What is the requested feature?

• [ ] Once more think if and how much extra security does "SameSite:Lax" policy provide.
• [ ] IF it does make sense, set session cookies with "SameSite: Lax".
• [ ] IF it does make sense, Find a way to make widgets work with the "SameSite: Lax" policy.

Additional information.

Related to:

• https://github.com/citizenos/citizenos-fe/issues/442

[loorm]

Triage 20 - timebox to 8 hrs, investigate. Q: Can we recognise app loaded via widget server-side to send looser policy?

[ilmartyrk]

Seems that only ways to recognise if the app is loaded from the widget is to set some kind of a session flag for partner requests or add some parameters to login request. As this question was initially set for only server-side recognition we could also use different paths for authentication request. As browsers now by default set SameSite : Lax our widgets login doesn't work.

[loorm]

Triage 36. Time has moved on, this is now enforced by browsers. We recognise our widget is not working due to this.