Cytomine-bootstrap icon indicating copy to clipboard operation
Cytomine-bootstrap copied to clipboard

Published 20 hours ago verified publisher icon cytomine

Question: Modify `SameSite` cookie policy

Open AustinGil opened this issue 3 years ago • 2 comments

Hi. With a recent release of Google Chrome, the browser will change how they apply the default value to the SameSite cookie policy. I'm wondering if there is an easy way to configure this in Cytomine as we would like to set out policy to lax rather than the default.

Any tips on this would be appreciated.

More on SameSite cookie policy https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite

AustinGil avatar Dec 15 '20 08:12 AustinGil

Hello,

Thanks for pointing that out.

A quick way is to add the cookie policy at the reverse proxy level

https://github.com/cytomine/Cytomine-bootstrap/blob/master/configs/nginx/nginx.conf.sample#L62

                location /j_spring_security {
                        proxy_set_header X-Real-IP $remote_addr;
                        proxy_set_header Host $host;
                        proxy_pass http://core:8080;
                        proxy_cookie_path / "/; HttpOnly; SameSite=lax";
                }

I will try to add it at the backend level.

geektortoise avatar Jan 04 '21 17:01 geektortoise

Looking at making a PR for this. Do you have a preference on how to approach it? Im guessing we dont want to hard code a policy in there. Maybe add an option in the config file?

AustinGil avatar Feb 03 '21 17:02 AustinGil