Support SameSite attribute on session cookies

RESOLVED FIXED

Status

()

RESOLVED FIXED
11 months ago
11 months ago

People

(Reporter: psiinon, Assigned: dylan)

Tracking

(Depends on: 1 bug)

Production

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

11 months ago
Firefox 60 introduces support for the SameSite cookie attribute: https://blog.mozilla.org/security/2018/04/24/same-site-cookies-in-firefox-60/

This provides significant protection against CSRF vulnerabilities and so it should be applied to any session cookies.

Happy to help with any implementation / checking tasks :)
(Assignee)

Comment 1

11 months ago
Heh, added to CGI.pm on 2016-06-14: https://metacpan.org/changes/distribution/CGI#L56

This looks easy.
(Assignee)

Comment 2

11 months ago
I want SameSite=Lax right? Not SameSite=Strict because that would mean when clicking on a link that leads to bugzilla you'd not be logged in?
Flags: needinfo?(sbennetts)
(Reporter)

Comment 3

11 months ago
Thats right - 'lax' will allow the user to be logged in from normal links, so I think thats best for bmo.
Flags: needinfo?(sbennetts)
(Assignee)

Comment 4

11 months ago
Posted file PR
(Assignee)

Updated

11 months ago
Assignee: nobody → dylan
(Assignee)

Updated

11 months ago
Status: NEW → RESOLVED
Last Resolved: 11 months ago
Resolution: --- → FIXED
Depends on: 1457817
You need to log in before you can comment on or make changes to this bug.