antikythera icon indicating copy to clipboard operation
antikythera copied to clipboard

Published 20 hours ago verified publisher icon access-company

Adding `SameSite` to `Antikythera.Http.SetCookie`

Open sylph01 opened this issue 3 years ago • 2 comments

Rationale

Antikythera.Http.SetCookie lacks the option to set the SameSite attribute of Set-Cookie header, and now it is forced into using SameSite=Lax. As my team and I came across a need to set the SameSite directive to SameSite=none (especially in combination with Antikythera.Session), I am raising this issue and proposing the addition of this functionality. This would also help gears that want to enforce SameSite=strict.

Proposed changes

  • Add same_site field to Antikythera.Http.SetCookie
    • This will be an enum that takes either :lax, :strict, or :none
    • Adding a field under the SetCookie module's field list and adding a type would do this
    • I am ready to write up a patch for this change
  • Add an interface to Antikythera.Plug.Session.load/2
    • When explicitly adding a Cookie entry, passing an optional argument to Antikythera.Conn.put_resp_cookie/4 can achieve this
    • But when used in combination with Antikythera.Plug.Session.load/2 it is not trivial, so I would like advice on how to change this
      • As of right now, I am thinking of passing options under :set_cookie key, then passing this option to make_before_send/2 (this would add an argument and thus change the signature to make_before_send/3 ) so that it can be passed onto Antikythera.Conn.put_resp_cookie/4 (now called with only 3 arguments).

Relevant references

sylph01 avatar Dec 07 '21 08:12 sylph01

Thank you for filing a bug!

Since cowlib which Antikythera uses, has :same_site, Antikythera.Http.SetCookie should have it as well. However, cowlib 2.9 or earlier only supports :lax and :strict, so we have to update cowlib to 2.10. It means we have to update cowboy to 2.9.

Could you wait for the cowboy update?

aYukiSekiguchi avatar Dec 07 '21 09:12 aYukiSekiguchi

I have checked with our team that we can figure out a workaround to our project's specific problem, so we can wait for the cowboy update.

Meanwhile, we found out that we need to specify the session's expiration explicitly, so I sent a patch that does this and also addresses the second part of this issue (Add an interface to Antikythera.Plug.Session.load/2). The first part will be addressed after the cowboy update, because it is dependent on cowboy supporting the :none value for same_site key.

sylph01 avatar Dec 08 '21 05:12 sylph01