[GitHub] [couchdb] willholley commented on issue #2452: Update Mochiweb and add SameSite support to auth cookie
willholley commented on issue #2452: Update Mochiweb and add SameSite support to auth cookie URL: https://github.com/apache/couchdb/pull/2452#issuecomment-603708182 @wohali @YetAnotherEye CouchDB [should automatically](https://github.com/apache/couchdb/blob/2b95500ac57d831ed4ac7abfc9250c739179b230/src/couch/src/couch_httpd_auth.erl#L463) add the `Secure` directive to the cookie so long as CouchDB is accessed over `https` (required for `SameSite=None` to work). This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] [couchdb] willholley commented on issue #2452: Update Mochiweb and add SameSite support to auth cookie
willholley commented on issue #2452: Update Mochiweb and add SameSite support to auth cookie URL: https://github.com/apache/couchdb/pull/2452#issuecomment-574295526 > Do you think it would be wise (or unwise) to change the default to be `samesite = strict`? @wohali I'm wary of this in case it breaks clients that can't handle the `SameSite` attribute. I think for the majority of users, `strict` would be the better default from a security POV, but we probably want to at least test replication against older CouchDB, PouchDB etc before making it the default. Excluding `SameSite` should be fine - it's only users using CORS that will need to set it to `None` to keep things working. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] [couchdb] willholley commented on issue #2452: Update Mochiweb and add SameSite support to auth cookie
willholley commented on issue #2452: Update Mochiweb and add SameSite support to auth cookie URL: https://github.com/apache/couchdb/pull/2452#issuecomment-574294162 thanks both - unrelated whitespace / vscode changes now removed This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services