search

openbmc / bmcweb

A do everything Redfish, KVM, GUI, and DBus webserver for OpenBMC
Apache License 2.0
157 stars 131 forks source link

Create cookies with SameSite=Strict #115

Closed joseph-reynolds closed 2 years ago

joseph-reynolds commented 4 years ago

Enhance BMCWeb (https://github.com/openbmc/bmcweb/blob/master/include/token_authorization_middleware.hpp#L430) to create cookies with SameSite=Strict by default. Do we need to write cookies with SameSite=None; Secure when BMCWEB_INSECURE_DISABLE_XSS_PREVENTION is also used to support the use case of hosting the BMC's website off of the BMC?

See: the Chrome browser’s SameSite cookie changes: https://blog.chromium.org/2020/02/samesite-cookie-changes-in-february.html

gtmills commented 3 years ago

@joseph-reynolds Assuming we can close? https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/41383 merged

edtanous commented 2 years ago

Closing. Feel free to reopen if more work needs to be done here.