-
Notifications
You must be signed in to change notification settings - Fork 164
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SameSite='None' flagged as invalid #433
Comments
To clarify, are you seeing this issue with:
Set-Cookie: key=val; SameSite=None; Secure
Or with:
Set-Cookie: key=val; SameSite=None
(I ask for clarification because these standards are changing rapidly, and
it looks like SameSite=None *without* Secure will be rejected by all
browsers that accept SameSite=None shortly, if not already as of the time
of this message.)
…On Mon, Oct 19, 2020 at 9:45 AM thecontrarycat ***@***.***> wrote:
Chrome introduced the SameSite=None option for cookies earlier this year
and with the introduction of Chrome 80 applied the default of Lax to all
cookies without a SameSite attribute.
To maintain the previous behaviour, it is necessary to apply both the
HttpOnly and SameSite=None flags.
However, Observatory penalises this with a -20 as it thinks SameSite=None
is an invalid value.
With Microsoft Azure now sending an ARRAffinitySameSite cookie by default
this heavily penalises all Azure websites that require server affinity.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#433>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAWUDC4FH6TKAHXUKFJUSLSLRUJTANCNFSM4SWMVUUA>
.
|
@april would you accept a pull request for this? The fix I am thinking about is for values other than Strict, Lax and None to be invalid (even True and not set) and for None to also be invalid if secure isn't set. I've also found a potential bug where you can get the +5 score for 'cookies-secure-with-httponly-sessions-and-samesite' while some of those cookies don't have a samesite attribute. Thoughts? |
That sounds reasonable to me. I think you only need SameSite on session cookies, IIRC, but it's been a while since I've looked at that code. |
Chrome introduced the SameSite=None option for cookies earlier this year and with the introduction of Chrome 80 applied the default of Lax to all cookies without a SameSite attribute.
To maintain the previous behaviour, it is necessary to apply both the HttpOnly and SameSite=None flags.
However, Observatory penalises this with a -20 as it thinks SameSite=None is an invalid value.
With Microsoft Azure now sending an ARRAffinitySameSite cookie by default this heavily penalises all Azure websites that require server affinity.
The text was updated successfully, but these errors were encountered: