Open Bug 1461989 Opened 7 years ago Updated 4 years ago

Support SameSite cookie attribute

Categories

(Conduit :: Lando, enhancement, P3)

Product:
Conduit
Component:
Lando
Type:
enhancement

Tracking

(Not tracked)

People

(Reporter: psiinon, Unassigned, Mentored)

References

Details

(4 keywords, Whiteboard: [secops:2021])

Firefox 60 introduces support for the SameSite cookie attribute: https://blog.mozilla.org/security/2018/04/24/same-site-cookies-in-firefox-60/ This provides significant protection against CSRF vulnerabilities and so it should be applied to any session cookies. lando.devsvcdev.mozaws.net uses a cookie called 'lando.devsvcdev.mozaws.net' which looks like it could well be a session type cookie, esp as its already flagged as Secure and HttpOnly. Can this be updated to be SameSite=lax or SameSite=Strict? Are there similar cookies in lando-api that could be similarly protected? It looks like lando-ui and lando-api use flask 0.12.1 - SameSite cookie support is introduced in flask 1.0: http://flask.pocoo.org/docs/1.0/changelog/#version-1-0 Are there any plans to upgrade to flask 1.0? Note that I've raised a similar bug on Phabricator: bug 1461634
Keywords: sec-low
Priority: -- → P3
Mentor: smacleod
Keywords: good-first-bug
Whiteboard: [secops:2021]
You need to log in before you can comment on or make changes to this bug.