SameSite='None' flagged as invalid #433
Comments
|
To clarify, are you seeing this issue with:
Set-Cookie: key=val; SameSite=None; Secure
Or with:
Set-Cookie: key=val; SameSite=None
(I ask for clarification because these standards are changing rapidly, and
it looks like SameSite=None *without* Secure will be rejected by all
browsers that accept SameSite=None shortly, if not already as of the time
of this message.)
…On Mon, Oct 19, 2020 at 9:45 AM thecontrarycat ***@***.***> wrote:
Chrome introduced the SameSite=None option for cookies earlier this year
and with the introduction of Chrome 80 applied the default of Lax to all
cookies without a SameSite attribute.
To maintain the previous behaviour, it is necessary to apply both the
HttpOnly and SameSite=None flags.
However, Observatory penalises this with a -20 as it thinks SameSite=None
is an invalid value.
With Microsoft Azure now sending an ARRAffinitySameSite cookie by default
this heavily penalises all Azure websites that require server affinity.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#433>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAWUDC4FH6TKAHXUKFJUSLSLRUJTANCNFSM4SWMVUUA>
.
|
|
They both fail. The analyser code treats any values other than Lax and Strict as invalid. Here's the cookie in question: |
|
@april would you accept a pull request for this? The fix I am thinking about is for values other than Strict, Lax and None to be invalid (even True and not set) and for None to also be invalid if secure isn't set. I've also found a potential bug where you can get the +5 score for 'cookies-secure-with-httponly-sessions-and-samesite' while some of those cookies don't have a samesite attribute. Thoughts? |
|
That sounds reasonable to me. I think you only need SameSite on session cookies, IIRC, but it's been a while since I've looked at that code. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Chrome introduced the SameSite=None option for cookies earlier this year and with the introduction of Chrome 80 applied the default of Lax to all cookies without a SameSite attribute.
To maintain the previous behaviour, it is necessary to apply both the HttpOnly and SameSite=None flags.
However, Observatory penalises this with a -20 as it thinks SameSite=None is an invalid value.
With Microsoft Azure now sending an ARRAffinitySameSite cookie by default this heavily penalises all Azure websites that require server affinity.
The text was updated successfully, but these errors were encountered: