MrOrz
commented
4 years ago https://www.chromium.org/updates/same-site
rumors-apihas not addSameSite: none; secureto its cookie- Google says "We have begun enforcing the new behavior for Chrome 80 stable, just not for 100% of users. ". This means that some users are already blocked from Cofacts due to this issue, while others can still proceed with a warning message:
A cookie associated with a cross-site resource at http://cofacts-api.g0v.tw/ was set without the
SameSiteattribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set withSameSite=NoneandSecure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
The message is different from the one @Stimim received. The difference is marked italic, stating that the browser has not blocked the cookie yet; while Stimim's browser is chosen by Google and blocked cookies according to SameSite rules.
Impact range
For users with a browser that enforces same-site, they will have issue when
- visiting http://localhost:3000: requests to https://cofacts-api.hacktabl.org will have no cookie set
- visiting https://dev.cofacts.org: requests to https://cofacts-api.hacktabl.org will have no cookie set
- visiting https://cofacts.org : requests to https://cofacts-api.g0v.tw will have no cookie set
However, cofacts.g0v.tw and cofacts-api.g0v.tw are considered same-site, cofacts.hacktabl.org and cofacts-api.hacktabl.org are also considered same-site, thus these are already "same-site" and can still work under the default SameSite: Lax behavior.
References
Definition of "same-site": https://web.dev/samesite-cookies-explained/#explicitly-state-cookie-usage-with-the-samesite-attribute
Mitigation
There are 3 ways to mitigate the same-site change:
Method 1: relax samesite
Since rumors-api acts as an authentication service, its cookie should be sent in third party context. We should set SameSite: none; secure on the login cookies set by rumors-api.
After enforcing samesite on rumors-api, we may encounter issue developing using http://localhost:3000. Need to investigate workarounds, or provide documentation for devs to setup https on localhost.
References
Method 2: use same-site APIs whenever possible
Another way to mitigate is to keep API endpoints always same-site, so that same-site cookie rules never need to apply.
- When connecting to
*.cofacts.org, useapi.cofacts.orgas API endpoint- Problem: need to determine API endpoint using host, and need carefully handle OAuth2 login redirect domains
- Proxy requests to
/api/to API servers instead- On production, this can be achieved using path matching and
proxy_pass - On localhost dev environments, it should be achievable using dev server proxy
- This is not only same-site but also same-origin. Can switch to simpler CORS setup (but some CORS may be still needed for chatbot LIFF), or remove CORS support completely (require chatbot LIFF to implement its own proxy as well).
- When using proxy under each domain, we may need to take care of session cookie key collision (need to pick a different cookie name) and a problem that the login session cannot cross-domain (SSO).
- On production, this can be achieved using path matching and
Method 3: Use token & authentication header to replace cookie
No cookie, no headache! In this way, there is nothing that will "automatically" sent to server, thus no CSRF risks -- as long as the token is not intercepted :P
However, this requires clients like rumors-site to remember the token in other means (such as localStorage) if we don't want users to login after reloading the website / opening a new tab. Other things are:
- We may need to design our own token expire check (or use JWT) to replace cookie max-age mechanism.
- We may need token exchange mechanism so that the server can safely (i.e. not through redirect URLs!) send real session token (JWT) to client after the user authenticates. Usually it is achieved by server attaching a temporary
codein URL after successful authentication, and the client uses thecodeto exchange fortokenand store it in client side.
How to Reproduce
npm run devto start a dev server.Loginbutton in top right corner.Loginbutton is still shown in top right corner.Additional Info
In both browser, there is no cookie from cofacts domain.
Google Chrome
Found the following message in developer console:
Safari
Found the following message in javascript console: