cups icon indicating copy to clipboard operation
cups copied to clipboard

Published 20 hours ago verified publisher icon OpenPrinting

SameSite not used correctly on CUPS CGI HTTP Headers

Open egberts opened this issue 3 years ago • 1 comments
trafficstars

Analyzing Firefox on CUPS localhost:631 CGI port.

On the Console tab of Web Developer Tool (Ctrl-Shift-I):

Cookie “org.cups.sid” will be soon rejected because 
it has the “SameSite” attribute set to “None” or 
an invalid value, without the “secure” attribute. 

To know more about the “SameSite“ attribute, 
read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

For ease of use, the same link is https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

egberts avatar Feb 24 '22 18:02 egberts

Looking at the code, the current cookie code does not set SameSite, which isn't defined in RFC 6265 and is only present in an expired ID and described loosely on a variety of vendor websites... Not even WhatWG has touched is AFAICT.

In looking at the expired ID, it looks like we want to add "samesite=secure;" to the Set-Cookie headers, both in cgi-bin/var.c and cups/http.c.

michaelrsweet avatar Mar 31 '22 18:03 michaelrsweet

Revisiting this, it looks like Mozilla has adopted "Lax" as the new default value to not break existing code, so it doesn't look like we need to do anything here.

michaelrsweet avatar Jan 17 '23 12:01 michaelrsweet