Fixes #2157, Explicitly set SameSite value for cookies #2159
Conversation
Also contains an update for the cookie library dependency
|
As per https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite, Lax seems to be the default value, so I think lax is best for now (this way we just avoid browsers complaining about no explicit setting). We can consider hardening this, as well as the stuff in #353 and https://discuss.flarum.org/d/22642-security-roadmap, later on. For now, 👍 |
|
Only one thought: is there any place where we could add a unit test to confirm that the cookie returns samesite=lax as expected? |
|
Wouldn't that break some use-cases for https://github.com/flarum/embed? |
[ci skip] [skip ci]
|
I'd still like to see a unit test for this, but otherwise looks great! |
|
@askvortsov1 Any suggestions as to where in the testing this would fit? Not sure if we would classify it as a unit test or integration test. |
|
It seems from the cookie library code that the actual cookies are resolved by calling toString on them ( (string) $cookie)), so perhaps in a unit test, we could assert that the proper samesite value is present in the resolved cookie string? I wouldn't mind an integration test as well, but I'd hold off on that until we have more of other stuff we can test. |
Co-authored-by: Daniël Klabbers <luceos@users.noreply.github.com>
|
Got an error with the example, code from luceos. Actually found an even nicer way of doing it I think but I need to get my unit test working properly first on my laptop. If it does work it will be |
Also contains an update for the cookie library dependency
**Fixes #2157 **
Changes proposed in this pull request:
Updates the cookie library and explicitly sets the same site value
Reviewers should focus on:
Confirmed
- [ ] Frontend changes: tested on a local Flarum installation.composer test).