Closed
Bug 1461630
Opened 7 years ago
Closed 7 years ago
Support SameSite cookie attribute on sessionid
Categories
(Webtools Graveyard :: Pontoon, enhancement, P2)
Webtools Graveyard
Pontoon
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: psiinon, Assigned: jotes)
Details
(Keywords: sec-low, wsec-cookie)
Attachments
(3 files)
Firefox 60 introduces support for the SameSite cookie attribute: https://blog.mozilla.org/security/2018/04/24/same-site-cookies-in-firefox-60/
This provides significant protection against CSRF vulnerabilities and so it should be applied to the sessionid cookie.
It looks like its been added to Django https://code.djangoproject.com/ticket/27863 but the fix doesnt appear the be in the latest release.
I'm guessing we'll need to wait until theres a new Django release and then migrate to it before we can add SameSite support?
|
||
Comment 1•7 years ago
|
||
If the fix isn't back-ported to django 1.11.x, using this will require an update from python2 to python3, with all the jazz that comes with it.
|
Reporter | |
Comment 2•7 years ago
|
||
We have a few other services on django 1.11.x - I'll look into how difficult it might be to back-port the fix.
|
|
Reporter | |
Comment 3•7 years ago
|
||
Unfortunately 1.11 is only receiving data loss and security fixes: https://code.djangoproject.com/ticket/29409
|
Assignee | |
Comment 4•7 years ago
|
||
:Pike, :mathjazz
From what I see, that's a small feature that can be implemented as a middleware, with the plan to remove this when Python3 will land in Pontoon. If that's okay for you I can take a stab.
|
||
Comment 5•7 years ago
|
||
|
|
Reporter | |
Comment 7•7 years ago
|
||
Sounds like a good plan to me :)
|
||
Comment 8•7 years ago
|
||
:psiinon, could you review the patch at https://github.com/mozilla/pontoon/pull/964?
It might be useful for other services on django 1.11.x, too.
Flags: needinfo?(sbennetts)
|
|
Reporter | |
Comment 9•7 years ago
|
||
Looking at it right now.
I was thinking the same thing re other services :)
Flags: needinfo?(sbennetts)
|
||
Comment 10•7 years ago
|
||
Commit pushed to master at https://github.com/mozilla/pontoon
https://github.com/mozilla/pontoon/commit/3cc5146fa19d651e172bec6ad7f55d8a002ffec6
Bug 1461630 - Set SameSite flag for session and csrf cookies. (#964)
|
|
||
Comment 11•7 years ago
|
||
|
|
||
Comment 12•7 years ago
|
||
Commit pushed to master at https://github.com/mozilla/pontoon
https://github.com/mozilla/pontoon/commit/340559fe8ffe40703aee0d1891215bb97fdf3e07
Fix bug 1461630: Update django-cookies-samesite to 0.1.2 (#966)
And fix the order of dependencies in requirements.txt.
|
|
||
Updated•7 years ago
|
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
|
|
||
Comment 13•7 years ago
|
||
|
|
||
Comment 14•7 years ago
|
||
Commit pushed to master at https://github.com/mozilla/pontoon
https://github.com/mozilla/pontoon/commit/914fb53382196b6363bcd7b3b8fa227f12ca7228
Bug 1461630 - Change SameSite attribute to "lax". (#968)
Otherwise we get "IndexError: list index out of range" error on log in.
|
|
||
Updated•6 years ago
|
Priority: -- → P2
|
||
Updated•3 years ago
|
Product: Webtools → Webtools Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•