[FEATURE] security_authentication cookie lacks SameSite attribute

opensearch-project / security

🔐 Secure your cluster with TLS, numerous authentication backends, data masking, audit logging as well as role-based access control on indices, documents, and fields

https://opensearch.org/docs/latest/security-plugin/index/

Apache License 2.0

180 stars 264 forks source link

[FEATURE] security_authentication cookie lacks SameSite attribute #4421

Closed simonelbaz closed 3 weeks ago

simonelbaz commented 3 weeks ago

During proxy authentication flow, the security_authentication cookie lacks SameSite attribute.

A warning is emitted by the Console browser tab:

What solution would you like? Would it be possible to set SameSite to 'Strict' or make it available as a parameter ?

What alternatives have you considered? This is warning. So that's OK.

scrawfor99 commented 3 weeks ago

[Triage] Hi @simonelbaz, thank you for filing this issue. This seems like something that could definitely be made configurable. Feel free to open a PR for this pull request and we can review it quickly.

shikharj05 commented 3 weeks ago

Hi, this is configurable today. Have you tried adding opensearch_security.cookie.isSameSite: Strict to opensearch_dashboards.yml file and restarting dashboards?