From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 235F78EF5 for ; Fri, 23 Jun 2023 10:14:55 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 0BD6730586 for ; Fri, 23 Jun 2023 10:14:55 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Fri, 23 Jun 2023 10:14:54 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id D245243016 for ; Fri, 23 Jun 2023 10:14:53 +0200 (CEST) Message-ID: <1ea82835-b58a-ab0e-2909-d1f69089e7f7@proxmox.com> Date: Fri, 23 Jun 2023 10:14:52 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.12.0 Content-Language: en-US To: Thomas Lamprecht , Proxmox VE development discussion References: <20230315162630.289768-1-m.carrara@proxmox.com> <09387419-0a9e-ac2f-c6b6-68a7d0ef05da@proxmox.com> From: Max Carrara In-Reply-To: <09387419-0a9e-ac2f-c6b6-68a7d0ef05da@proxmox.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.035 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment NICE_REPLY_A -0.09 Looks like a legit reply (A) SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [bootstrap.pm, formatter.pm, mozilla.org, lwp.pm, httpwg.org] Subject: Re: [pve-devel] applied-series: [PATCH widget-toolkit/http-server/apiclient 0/4] Set SameSite=Strict on Auth Cookies X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Jun 2023 08:14:55 -0000 On 6/6/23 17:17, Thomas Lamprecht wrote: > Am 15/03/2023 um 17:26 schrieb Max Carrara: >> This series sets the `SameSite` attribute of authentication cookies >> to `Strict` as per RFC 6265[1]. This prevents browsers from nagging; >> for example, FireFox 102.8.0esr would complain in the following manner: >> >>> Cookie “PVEAuthCookie” does not have a proper “SameSite” attribute >>> value. Soon, cookies without the “SameSite” attribute or with an >>> invalid value will be treated as “Lax”. This means that the cookie >>> will no longer be sent in third-party contexts. If your application >>> depends on this cookie being available in such contexts, please add >>> the “SameSite=None“ attribute to it. To know more about the >>> “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite >> >> Since setting `SameSite` to `Strict` enforces that the cookie be only >> sent in a first-party context - so, only to the web UI and no other >> site - it seemed like the best thing to choose. I'm not aware of the >> cookie being used in any other contexts; if that's the case, I'll >> gladly provide a v2. > > now, with the upcomming beta, it's the best time to find that out ^^ > >> >> The attribute is set wherever it makes sense; the only repo in which >> it's not set would be 'pve-client', as that one's apparently not being >> used at all (it wouldn't even build). Please let me know if I have >> missed any spots. >> >> [1] https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-samesite-attribute >> >> >> proxmox-widget-toolkit: >> >> Max Carrara (2): >> toolkit/utils: set SameSite attr of auth cookie to 'strict' >> toolkit/utils: fix whitespace >> >> src/Toolkit.js | 513 ++++++++++++++++++++++++++----------------------- >> src/Utils.js | 6 +- >> 2 files changed, 276 insertions(+), 243 deletions(-) >> >> >> pve-http-server: >> >> Max Carrara (1): >> formatter/bootstrap: set SameSite attr of auth cookie to 'strict' >> >> src/PVE/APIServer/Formatter.pm | 2 +- >> src/PVE/APIServer/Formatter/Bootstrap.pm | 2 +- >> 2 files changed, 2 insertions(+), 2 deletions(-) >> >> >> pve-apiclient: >> >> Max Carrara (1): >> lwp: set SameSite attr of auth cookie to 'strict' >> >> PVE/APIClient/LWP.pm | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> > > > applied, thanks! FYI, I was also about to scour through the PBS code to apply the `SameSite` attribute to `PBSAuthCookie` as well - turns out that PBS sets its cookie only via Ext JS, so this should work for PBS as well, once the version of the `proxmox-widget-toolkit` dependency is bumped (unless I've missed something). I'll keep an eye on it in regards to PBS too.