search

misskey-dev / misskey

🌎 A completely free and open interplanetary microblogging platform 🚀
https://misskey-hub.net/
GNU Affero General Public License v3.0
9.88k stars 1.33k forks source link

Cookie token should be marked as "secure" when created in an https connection #14606

Open temtemy opened 6 days ago

temtemy commented 6 days ago

💡 Summary

Currently the cookie being generated in /packages/frontend/src/account.ts when you sign in is not marked as secure:

https://github.com/misskey-dev/misskey/blob/0e92cbf9052898d17c6e5dec8027203c62dde687/packages/frontend/src/account.ts#L205

This can result in the cookie token being sent unencrypted by the browser over http if the webmaster didn't setup HSTS.

Note that Chrome and Firefox (since version 52 for both browsers) will not set a cookie when secure is used in an http scheme, according to MDN. So make sure secure is only added as a directive when https is the scheme so as to not break Misskey instances which serve the frontend over secure hidden networks like Tor and Yggdrasil (which usually don't use https).

🥰 Expected Behavior

The cookie token should be marked as "secure" in the document.cookie. For example, Mastodon does it and my browser does note that the cookie will only be sent over HTTPS:

image

🤬 Actual Behavior

There's no secure directive in the document.cookie, and as noted by my browser it can be sent over any type of connection instead of just HTTPS:

image

📝 Steps to Reproduce

No response

💻 Frontend Environment

No response

🛰 Backend Environment (for server admin)

No response

Do you want to address this bug yourself?

kakkokari-gtyih commented 6 days ago

Related to https://github.com/misskey-dev/misskey/issues/14528