ingress-nginx
ingress-nginx copied to clipboard
kubernetes
Support Partitioned attribute in sticky cookies
All major browser vendors have or will limit the use of third party cookies in their browsers in the near future. ingress-nginx uses cookies to support sticky sessions. This will become an issue in certain scenarios when ingres-nginx serves an endpoint that is a third party to a web application.
To prevent the use of third party cookies for tracking and still enable use cases like this, there is a W3C proposal that enables partitioning cookie data using the first party URL as additional key. (https://github.com/privacycg/CHIPS)
Chrome and Firefox will support CHIPS, while Safari is still undecided.
ingress-nginx should also support CHIPS by adding an attribute like nginx.ingress.kubernetes.io/session-cookie-partitioned so that users can opt-in to use partitioned cookie state.
This issue is currently awaiting triage.
If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.
The triage/accepted label can be added by org members by writing /triage accepted in a comment.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
Can you evolve a bit more on the proposal? How would this annotation look like? What is the impact on users that enable it, for browsers that doesn't support it like Safari?
Thanks
Sure, First of all, it appears that Safari is currently in favor of the CHIPS proposal (https://github.com/WebKit/standards-positions/issues/50#issuecomment-1768040057). So I expect all mayor browsers to behave the same.
I propose, that there is a new annotation nginx.ingress.kubernetes.io/session-cookie-partitioned, with a value of "true" or "false". If the value is "true" it will add the Partitioned attribute to the cookie. A response header could look something like this.
Set-Cookie: _httpsvc_key=SIDUFWE.aosdivod....; path=/; Partitioned
This is fairly urgent, since Chrome has already started the phase-out process for third-party cookies (3PC) and has already stopped accepting 3PC without CHIPS for 1% of users since January 4th by default. That implies that session stickiness in a cross-domain context already stopped working for 1% of Chrome users. Full phase-out is scheduled for Q3 this year. See 3PC advisory from Google
It seems that adding Partitioned attribute to the cookie is constrained by the underlying lua plugin "resty.cookie" not having support for it, Opened an issue here - but I'm just trying to move this along and I know nothing (feel free to wait for an adult).
@longwuyuan I have implemented most of the changes in my fork here: https://github.com/avif/ingress-nginx/tree/partitioned-cookie-support - waiting on the "resty.cookie" merge.
Partitioned cookie support has been merged to "resty.cookie" (v.0.3.0), I have updated my fork - will do some testing and submit a PR soon.
Thank you very much. I saw that PR. Helps. Best regards.
On Fri, 12 Apr, 2024, 12:39 am avif, @.***> wrote:
@longwuyuan https://github.com/longwuyuan FYI I submitted a PR.
— Reply to this email directly, view it on GitHub https://github.com/kubernetes/ingress-nginx/issues/10428#issuecomment-2050340909, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABGZVWTEJPJQ4KYFKMIATKLY43NVFAVCNFSM6AAAAAA47OUGA2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANJQGM2DAOJQHE . You are receiving this because you were mentioned.Message ID: @.***>