Cytomine-bootstrap
Cytomine-bootstrap copied to clipboard
Question: Modify `SameSite` cookie policy
Hi. With a recent release of Google Chrome, the browser will change how they apply the default value to the SameSite
cookie policy. I'm wondering if there is an easy way to configure this in Cytomine as we would like to set out policy to lax
rather than the default.
Any tips on this would be appreciated.
More on SameSite cookie policy https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
Hello,
Thanks for pointing that out.
A quick way is to add the cookie policy at the reverse proxy level
https://github.com/cytomine/Cytomine-bootstrap/blob/master/configs/nginx/nginx.conf.sample#L62
location /j_spring_security {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_pass http://core:8080;
proxy_cookie_path / "/; HttpOnly; SameSite=lax";
}
I will try to add it at the backend level.
Looking at making a PR for this. Do you have a preference on how to approach it? Im guessing we dont want to hard code a policy in there. Maybe add an option in the config file?