Closed joseph-reynolds closed 2 years ago
Enhance BMCWeb (https://github.com/openbmc/bmcweb/blob/master/include/token_authorization_middleware.hpp#L430) to create cookies with SameSite=Strict by default. Do we need to write cookies with SameSite=None; Secure when BMCWEB_INSECURE_DISABLE_XSS_PREVENTION is also used to support the use case of hosting the BMC's website off of the BMC?
SameSite=Strict
SameSite=None; Secure
See: the Chrome browser’s SameSite cookie changes: https://blog.chromium.org/2020/02/samesite-cookie-changes-in-february.html
@joseph-reynolds Assuming we can close? https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/41383 merged
Closing. Feel free to reopen if more work needs to be done here.
Enhance BMCWeb (https://github.com/openbmc/bmcweb/blob/master/include/token_authorization_middleware.hpp#L430) to create cookies with
SameSite=Strict
by default. Do we need to write cookies withSameSite=None; Secure
when BMCWEB_INSECURE_DISABLE_XSS_PREVENTION is also used to support the use case of hosting the BMC's website off of the BMC?See: the Chrome browser’s SameSite cookie changes: https://blog.chromium.org/2020/02/samesite-cookie-changes-in-february.html