From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id B46ED90B38 for ; Wed, 15 Mar 2023 17:26:37 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 9920FC8D2 for ; Wed, 15 Mar 2023 17:26:37 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Wed, 15 Mar 2023 17:26:36 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 5DF8841942 for ; Wed, 15 Mar 2023 17:26:36 +0100 (CET) From: Max Carrara To: pve-devel@lists.proxmox.com Date: Wed, 15 Mar 2023 17:26:26 +0100 Message-Id: <20230315162630.289768-1-m.carrara@proxmox.com> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.034 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [mozilla.org, httpwg.org, formatter.pm, lwp.pm, bootstrap.pm] Subject: [pve-devel] [PATCH widget-toolkit/http-server/apiclient 0/4] Set SameSite=Strict on Auth Cookies X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Mar 2023 16:26:37 -0000 This series sets the `SameSite` attribute of authentication cookies to `Strict` as per RFC 6265[1]. This prevents browsers from nagging; for example, FireFox 102.8.0esr would complain in the following manner: > Cookie “PVEAuthCookie” does not have a proper “SameSite” attribute > value. Soon, cookies without the “SameSite” attribute or with an > invalid value will be treated as “Lax”. This means that the cookie > will no longer be sent in third-party contexts. If your application > depends on this cookie being available in such contexts, please add > the “SameSite=None“ attribute to it. To know more about the > “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite Since setting `SameSite` to `Strict` enforces that the cookie be only sent in a first-party context - so, only to the web UI and no other site - it seemed like the best thing to choose. I'm not aware of the cookie being used in any other contexts; if that's the case, I'll gladly provide a v2. The attribute is set wherever it makes sense; the only repo in which it's not set would be 'pve-client', as that one's apparently not being used at all (it wouldn't even build). Please let me know if I have missed any spots. [1] https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-samesite-attribute proxmox-widget-toolkit: Max Carrara (2): toolkit/utils: set SameSite attr of auth cookie to 'strict' toolkit/utils: fix whitespace src/Toolkit.js | 513 ++++++++++++++++++++++++++----------------------- src/Utils.js | 6 +- 2 files changed, 276 insertions(+), 243 deletions(-) pve-http-server: Max Carrara (1): formatter/bootstrap: set SameSite attr of auth cookie to 'strict' src/PVE/APIServer/Formatter.pm | 2 +- src/PVE/APIServer/Formatter/Bootstrap.pm | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) pve-apiclient: Max Carrara (1): lwp: set SameSite attr of auth cookie to 'strict' PVE/APIClient/LWP.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.39.2