Hello, Thank you for the answer. In fact I have some major features of a product I am working on that won't work anymore with Chrome 80 new default behavior (and other browsers say they will follow, I don't know when). Not because of security issue (I guess), but because, by design, application is embedded into an iframe hold by a third-party domain. In that usecase, HAProxy persistent session cookie will not be transmitted, which breaks the application that relies on it. It is one example, I have others. Chrome updates are quite automatic, not really easy for users to roll back on previous version. This is why I am a little afraid.
Anyway thank you for the commit in the development version. Do you think you will also backport in 1.X version? I don't know how HAProxy releases are planned. Any idea of a planning for releases (2.X and 1.X if relevant)? Thank you, Mickaël -----Message d'origine----- De : Willy Tarreau [mailto:w...@1wt.eu] Envoyé : mercredi 22 janvier 2020 07:20 À : Christopher Faulet Cc : BRIDE Mickaël SCE/OGSB; haproxy@formilux.org Objet : Re: SameSite attribute for persistent session cookie Hi guys, On Tue, Jan 21, 2020 at 11:49:43AM +0100, Christopher Faulet wrote: > Le 21/01/2020 à 09:14, mickael.br...@orange.com a écrit : > > Hello, > > > > With Chrome 80 release in february, HAProxy persistent session cookie > > will not be working anymore for sites embedded into iframe on multiple > > domains. > > > > See issue https://github.com/haproxy/haproxy/issues/361 > > > > Have you planned something to manage that point soon ? Well, first, let's cool down a little bit. Browsers normally don't break the web, or when they do so, it takes years or decades. Otherwise their users simply roll back to the previous version or switch to more conservative competitors. If some sites are totally insecure and stop working, it will not be a big loss but these sites will not change any of their components either. Most of the internet's infrastructure cannot afford to perform major upgrades to new compoents just because some browser developers woke up a morning thinking how cool it could be to drop support for something currently working fine. > Here is a quick patch that should fix the issue. It is a generic way to add > attributes to a cookie. For instance: > > cookie SRV insert secure attr "SameSite=Strict" > > Any comments ? I do :-) We should add "*" after the "[ attr ... ]" field in the doc since you allow to repeat the attribute. I did it and merged it. Thanks! Willy _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you.
