embedio
embedio copied to clipboard
unosquare
Implement SameSite cookie attribute
SameSite attribute cannot be specified using Response.SetCookie() (System.Net.Cookie doesn't have the field). I've also checked HttpListenerResponse.AppendSetCookieHeader.
Side-notes: Firefox complains about not specifying SameSite or Secure attribute for cookies, even for localhost.
Cookie “sid” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. To know more about the “sameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite
Setting Secure removes the warning for unsecure http localhost. No warnings from Chrome. At the moment i'm still trying to understand the best approach.
I'm actually getting a similar warning from the Brave browser that mentions Chrome intends to block these cookies in a future version. NOT getting this warning in Chrome.
"A cookie associated with a resource at http://localhost/ was set with SameSite=None but without Secure. A future release of Chrome will only deliver cookies marked SameSite=None if they are also marked Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5633521622188032."
So is this a problem/feature-request for EmbedIO? @AbeniMatteo where (in the source code?) did you set Secure?
context.Response.SetCookie(new Cookie("name", "value") { Secure = true });
OK so further investigation shows that the warning is caused by a session cookie named 'a_session_console', so its could possible be sent only when I have the console open.
This cookie is NOT sent from my code, it's somewhere in the session module -- I'll try to zero in on where in the code it's coming from:
