pouet2.0 icon indicating copy to clipboard operation
pouet2.0 copied to clipboard

Published 20 hours ago verified publisher icon pouetnet

Firefox complains about `pouetSettings` cookie

Open homeworkprod opened this issue 2 years ago • 0 comments

Just noticed this warning in Firefox's console while on a prod page:

Das Cookie “pouetSettings” wird in Zukunft bald abgelehnt werden, da es für das Attribut "sameSite" entweder "none" oder einen ungültigen Wert angibt, ohne das "secure"-Attribut zu verwenden. Weitere Informationen zum "sameSite"-Attribut finden Sie unter https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

It basically says the cookie will be rejected soon-ish as it sets sameSite to "none" or an invalid value while not setting the secure cookie flag at the same time.

Working link to docs: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite

Relevant excerpts:

Note: Standards related to the Cookie SameSite attribute recently changed such that:

The cookie-sending behavior if SameSite is not specified is SameSite=Lax. Previously the default was that cookies were sent for all requests. Cookies with SameSite=None must now also specify the Secure attribute (they require a secure context/HTTPS).

and

Note: Lax replaced None as the default value in order to ensure that users have reasonably robust defense against some classes of cross-site request forgery (CSRF) attacks.

I'm not yet sure (I'm tired) if it could be related to:

  • The cookie being set on my browser before (whenever that happened) the browser (if that is the relevant element here) started defaulting to SameSite=Lax. My local cookie was created April 1st, 2021 though, so at least somewhat recent. And my browser version is LTS, so not the latest and greatest.
  • The custom cookie library from October 2008 doing something preventing those modern defaults.

For the record, in my browser both Pouet cookies (pouetSettings and POUETSESS3) have these settings

  • HttpOnly=false
  • Secure=false
  • SameSite=None

I run a site that sets a cookie with these settings and Firefox does not seem to complain about it. However, it is only valid to the end of the browser session, so that might make a difference.

Given that Pouet is served on HTTPS these days, it might be in order to set it with these settings (also something I do on a site, at least for authentication cookies):

  • HttpOnly=true
  • Secure=true
  • SameSite=Lax

homeworkprod avatar Aug 19 '21 02:08 homeworkprod