Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set CORS policies, http security headers to avoid error: Some cookies are misusing the recommended Same-Site attribute. (27) #10249

Open
chris001 opened this issue Oct 24, 2023 · 0 comments · May be fixed by #10374
Open

Set CORS policies, http security headers to avoid error: Some cookies are misusing the recommended Same-Site attribute. (27) #10249

chris001 opened this issue Oct 24, 2023 · 0 comments · May be fixed by #10374
Labels
Area: Environment Issues & PRs related to the application environment Priority:Important Issues & PRs that are important; broken functions, errors - there are workarounds Type: Bug Bugs within the core SuiteCRM codebase

Comments

@chris001
Copy link
Contributor

Issue

Expected Behavior

There should be no CORS errors in the browser console.
Bonus, when the app is running in https mode, all cookies should be set to secure mode.
And http security headers should be added:

  1. x-strict-transport-security
  2. x-frame-options
  3. x-xss-protection
  4. content-security-policy
  5. referrer-policy could be no-referrer-when-downgrade

Actual Behavior

Some cookies are misusing the recommended Same-Site attribute (27).

Possible Fix

CORS changes the game rules: stackoverflow.com/questions/46288437/… With it you have server side: Access-Control-Allow-Credentials, Access-Control-Allow-Origin, Access-Control-Allow-Headers + cookie setting Secure, SameSite=None and client side: XMLHttpRequest.withCredentials + ES6 fetch() credentials: 'include'

Steps to Reproduce

  1. Install SuiteCRM 7.14 (latest) from Bitnami.
  2. Open Firefox (latest version).
  3. Log in to the app with the default credentials.
  4. Open browser console (Ctrl Shift I), you will see the error listed there.

Context

Modern browsers are getting more and more strict with regard to cookies and CORS rules.
If this issue is not fixed soon, the app will start to malfunction, because the browser will discard these non-compliant cookies without explicitly set CORS policies.

Your Environment

  • SuiteCRM Version used:
  • Browser name and version (e.g. Chrome Version 51.0.2704.63 (64-bit)): Firefox latest version 119.0.
  • Environment name and version (e.g. MySQL, PHP 7): MariaDB 10.6
  • Operating System and version (e.g Ubuntu 16.04): Linux Debian 12
@johnM2401 johnM2401 added Type: Bug Bugs within the core SuiteCRM codebase Priority:Important Issues & PRs that are important; broken functions, errors - there are workarounds Area: Environment Issues & PRs related to the application environment labels Nov 6, 2023
chris001 added a commit to chris001/SuiteCRM that referenced this issue Mar 8, 2024
@chris001
Fix salesagility#10249 salesagility/SuiteCRM-Core#447
c041749 
Fix salesagility#10249 and salesagility/SuiteCRM-Core#447

Adds required `samesite` parameter to `SugarApplication::setCookie()`
@chris001 chris001 linked a pull request Mar 8, 2024 that will close this issue
Open
6 tasks
chris001 added a commit to chris001/SuiteCRM that referenced this issue Mar 8, 2024
@chris001
Fix salesagility#10249 salesagility/SuiteCRM-Core#447
c18af35 
Fix salesagility#10249 salesagility/SuiteCRM-Core#447
chris001 added a commit to chris001/SuiteCRM that referenced this issue Mar 8, 2024
@chris001
Fix salesagility#10249 salesagility/SuiteCRM-Core#447
b737e06 
Fix salesagility#10249 salesagility/SuiteCRM-Core#447

Sets cookie `samesite` attribute to value in `php.ini` `session.cookie_samesite` if any, or defaults to `Strict`.
chris001 added a commit to chris001/SuiteCRM that referenced this issue Mar 9, 2024
@chris001
Fix salesagility#10249 salesagility/SuiteCRM-Core#447
d398ba5 
Uses `php.ini` setting for default value of required cookie attribute `samesite`.
jack7anderson7 pushed a commit to chris001/SuiteCRM that referenced this issue Mar 12, 2024
@chris001 @jack7anderson7
Fix salesagility#10249 - cookies do not set samesite attribute requir…
ff279b2 
…ed by current browsers

- uses php.ini for default value
- sets samesite attr to value in php ini or strict
- adds required samesite parameter
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Area: Environment Issues & PRs related to the application environment Priority:Important Issues & PRs that are important; broken functions, errors - there are workarounds Type: Bug Bugs within the core SuiteCRM codebase
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix #10249 cookies do not set samesite attribute required by current browsers chris001/SuiteCRM
2 participants
@chris001 @johnM2401