Project

General

Profile

Feature #7814

Consider supporting SameSite attribute on cookies

Added by Bruce Toll 27 days ago. Updated 27 days ago.

Status:
New
Priority:
Normal
Assignee:
-
Target version:
-
Start date:
11/02/2020
Due date:
% Done:

0%

Estimated time:

Description

WApplication::setCookie() does not currently support setting the SameSite attribute. This results in a default interpretation by the browser. For Firefox versions 76 and higher, it also results in a warning on the developer console.

This warning was reported in #6593-8, and I encountered the warning independently while debugging some new code.

The warning can be produced with the hello.wt application. With Firefox 82.0 on Linux, the following messages appear on the console:

Some cookies are misusing the recommended “SameSite“ attribute
Cookie “jscookietest” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite test:167
Cookie “jscookietest” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite test:170
Cookie “WtTestCookie” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite test:173:59

With the Firefox network.cookie.sameSite.laxByDefault config value set to true (the expected future setting), the following messages appear on the console when testing the hello.wt application:

Some cookies are misusing the “SameSite“ attribute, so it won’t work as expected
Cookie “jscookietest” has “SameSite” policy set to “Lax” because it is missing a “SameSite” attribute, and “SameSite=Lax” is the default value for this attribute. test:167
Cookie “jscookietest” has “SameSite” policy set to “Lax” because it is missing a “SameSite” attribute, and “SameSite=Lax” is the default value for this attribute. test:170
Cookie “WtTestCookie” has “SameSite” policy set to “Lax” because it is missing a “SameSite” attribute, and “SameSite=Lax” is the default value for this attribute. test:173:59

Attached for your review is a patch that enhances setCookie with a sameSite parameter. It also tries to set reasonable SameSite values for cookies used by Wt. The patch has been lightly tested against github Wt 4.4.0-28-g6e0c1758, but would benefit from additional review and testing (particularly for cookies that set SameSite=Strict). There are additional notes in the patch file.

Additional references:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
https://hacks.mozilla.org/2020/08/changes-to-samesite-cookie-behavior/
https://bugzilla.mozilla.org/show_bug.cgi?id=1454781
https://www.chromium.org/updates/same-site/test-debug
https://www.chromium.org/updates/same-site/faq


Files

#1

Updated by Bruce Toll 27 days ago

I noticed some problems with the initial patch and plan to submit an update later this week.

#2

Updated by Bruce Toll 27 days ago

I've attached an updated patch (0001-Add-SameSite-support-to-setCookie_rev2.patch). It corrects the text of a LOG_WARN message. It also updates the callers of WebRenderer::setCookie to explicitly provide a CookieSameSite argument (and removes the default argument). This seems more consistent with the handling of the secure attribute.

Notes on testing:

  1. Most of my testing was done using the hangman program, modifying the wt_config.xml, e.g. with tracking=auto and reload-is-new-session=false.
  2. Testing was done almost exclusively with Firefox 82 under Linux. Cursory testing was done with Chromium 86 under Linux.
  3. I temporarily patched the AuthModel::setRememberMeCookie to request a CookieSameSite::None and verified that a warning was logged.
  4. I did not do any testing with https (secure mode).

Also available in: Atom PDF