On 6/6/23 17:17, Thomas Lamprecht wrote: > Am 15/03/2023 um 17:26 schrieb Max Carrara: >> This series sets the `SameSite` attribute of authentication cookies >> to `Strict` as per RFC 6265[1]. This prevents browsers from nagging; >> for example, FireFox 102.8.0esr would complain in the following manner: >> >>> Cookie “PVEAuthCookie” does not have a proper “SameSite” attribute >>> value. Soon, cookies without the “SameSite” attribute or with an >>> invalid value will be treated as “Lax”. This means that the cookie >>> will no longer be sent in third-party contexts. If your application >>> depends on this cookie being available in such contexts, please add >>> the “SameSite=None“ attribute to it. To know more about the >>> “SameSite“ attribute, read >>> https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite >> >> Since setting `SameSite` to `Strict` enforces that the cookie be only >> sent in a first-party context - so, only to the web UI and no other >> site - it seemed like the best thing to choose. I'm not aware of the >> cookie being used in any other contexts; if that's the case, I'll >> gladly provide a v2. > > now, with the upcomming beta, it's the best time to find that out ^^ > >> >> The attribute is set wherever it makes sense; the only repo in which >> it's not set would be 'pve-client', as that one's apparently not being >> used at all (it wouldn't even build). Please let me know if I have >> missed any spots. >> >> [1] >> https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-samesite-attribute >> >> >> proxmox-widget-toolkit: >> >> Max Carrara (2): >> toolkit/utils: set SameSite attr of auth cookie to 'strict' >> toolkit/utils: fix whitespace >> >> src/Toolkit.js | 513 ++++++++++++++++++++++++++----------------------- >> src/Utils.js | 6 +- >> 2 files changed, 276 insertions(+), 243 deletions(-) >> >> >> pve-http-server: >> >> Max Carrara (1): >> formatter/bootstrap: set SameSite attr of auth cookie to 'strict' >> >> src/PVE/APIServer/Formatter.pm | 2 +- >> src/PVE/APIServer/Formatter/Bootstrap.pm | 2 +- >> 2 files changed, 2 insertions(+), 2 deletions(-) >> >> >> pve-apiclient: >> >> Max Carrara (1): >> lwp: set SameSite attr of auth cookie to 'strict' >> >> PVE/APIClient/LWP.pm | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> > > > applied, thanks!
FYI, I was also about to scour through the PBS code to apply the `SameSite` attribute to `PBSAuthCookie` as well - turns out that PBS sets its cookie only via Ext JS, so this should work for PBS as well, once the version of the `proxmox-widget-toolkit` dependency is bumped (unless I've missed something). I'll keep an eye on it in regards to PBS too. _______________________________________________ pve-devel mailing list [email protected] https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
