search

flarum / issue-archive

0 stars 0 forks source link

Locale cookie for guests doesn't follow any of the cookie rules #145

Open clarkwinkelmann opened 3 years ago

clarkwinkelmann commented 3 years ago

The locale cookie used for switching the language of guests uses different settings from the Flarum cookies, and cannot be customized via config.php like the other cookies.

The cookie is actually defined in the frontend https://github.com/flarum/core/blob/fa10d794a40c11d7eea321e1728879a80d397a57/js/src/forum/components/HeaderSecondary.js#L45

Meaning it's not following any of the default or custom rules used by CookieFactory https://github.com/flarum/core/blob/fa10d794a40c11d7eea321e1728879a80d397a57/src/Http/CookieFactory.php#L61-L66

In particular, neither name, path or domain can be customized by site owners. Since the cookie isn't even prefixed with flarum_, there's a higher chance of conflict with another software, or if two Flarum installations are present in different subfolders.

I'm not sure how/if we want to fix that. If we moved the change language feature to an API/forum endpoint, we could use the CookieFactory on the PHP side and all of its benefits.

It's probably not a big issue, considering the defaults are quite sensible and that it won't create any issue on the large majority of forums. I noticed this while working on a solution that would allow different features of Flarum to use different subdomains, and realized I couldn't customize the cookie to be present on the top level domain to apply globally. I also noticed it's not possible to customize the SameSite value, so maybe there's also an issue with switching language inside of an iframe?

stale[bot] commented 3 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. We do this to keep the amount of open issues to a manageable minimum. In any case, thanks for taking an interest in this software and contributing by opening the issue in the first place!

clarkwinkelmann commented 3 years ago

Still interested to hear feedback from others on this.

There's still likely very few people who will be impacted by this. The only situation could be extensions that try to read/share the guest locale across domains or frontend/backend, or an extension that would add some sort of widgets in iframes and also be used in multi-lingual settings without being logged in.

SychO9 commented 3 years ago

If we moved the change language feature to an API/forum endpoint, we could use the CookieFactory on the PHP side and all of its benefits.

An endpoint to change the language would be the best approach imho