Open teleclimber opened 1 year ago
I can't reproduce this.
Actually I think I can reproduce this now. Simply entering the appspace and then reloading the page (which still has the login token) causes the 403.
Edit: I am able to get this with ds-host running on a Mac with no TLS and accessed from http://dropid.localhost and the appspace at http://leftovers.localhost It's possible the lack of TLS changes how the cookie is saved?
Edit 2: The browser (or FireFox at least) does not send the cookie on page refresh. It's just not in the request headers. This is if you enter appspace, and refresh the page. The cookie is saved, but not sent.
Ah it's because of the SameSite attribute. In Chrome dev tools it shows the cookie that was not sent and explains that SameSite=strict means cookie does not get sent if from another site or top level navigation, which presumably includes refreshes.
If a logged in appspace user visits the appspace by opening a URL that includes a login token, they are given a 403. That's not right. We should