Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Firefox complains about pouetSettings cookie #113

Open
homeworkprod opened this issue Aug 19, 2021 · 0 comments
Open

Firefox complains about pouetSettings cookie #113

homeworkprod opened this issue Aug 19, 2021 · 0 comments

Comments

@homeworkprod
Copy link
Contributor

Just noticed this warning in Firefox's console while on a prod page:

Das Cookie “pouetSettings” wird in Zukunft bald abgelehnt werden, da es für das Attribut "sameSite" entweder "none" oder einen ungültigen Wert angibt, ohne das "secure"-Attribut zu verwenden. Weitere Informationen zum "sameSite"-Attribut finden Sie unter https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

It basically says the cookie will be rejected soon-ish as it sets sameSite to "none" or an invalid value while not setting the secure cookie flag at the same time.

Working link to docs: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite

Relevant excerpts:

Note: Standards related to the Cookie SameSite attribute recently changed such that:

The cookie-sending behavior if SameSite is not specified is SameSite=Lax. Previously the default was that cookies were sent for all requests.
Cookies with SameSite=None must now also specify the Secure attribute (they require a secure context/HTTPS).

and

Note: Lax replaced None as the default value in order to ensure that users have reasonably robust defense against some classes of cross-site request forgery (CSRF) attacks.

I'm not yet sure (I'm tired) if it could be related to:

  • The cookie being set on my browser before (whenever that happened) the browser (if that is the relevant element here) started defaulting to SameSite=Lax. My local cookie was created April 1st, 2021 though, so at least somewhat recent. And my browser version is LTS, so not the latest and greatest.
  • The custom cookie library from October 2008 doing something preventing those modern defaults.

For the record, in my browser both Pouet cookies (pouetSettings and POUETSESS3) have these settings

  • HttpOnly=false
  • Secure=false
  • SameSite=None

I run a site that sets a cookie with these settings and Firefox does not seem to complain about it. However, it is only valid to the end of the browser session, so that might make a difference.

Given that Pouet is served on HTTPS these days, it might be in order to set it with these settings (also something I do on a site, at least for authentication cookies):

  • HttpOnly=true
  • Secure=true
  • SameSite=Lax
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@homeworkprod