Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

utils.setCookie needs to use Secure with SameSite=none #5011

Closed
goosemanjack opened this issue Mar 19, 2020 · 3 comments
Closed

utils.setCookie needs to use Secure with SameSite=none #5011

goosemanjack opened this issue Mar 19, 2020 · 3 comments
Assignees

Comments

@goosemanjack
Copy link
Contributor

Type of issue

Bug

Description

When a cookie is specified as 'none' for a value of SameSite the cookie should automatically be written with the Secure flag. Currently this produces a warning in Chrome as below:

digiTrustIdSystem.js:89 A cookie associated with a resource at http://prebid.local/ was set with SameSite=None but without Secure. It has been blocked, as Chrome now only delivers cookies marked SameSite=None if they are also marked Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5633521622188032.

Steps to reproduce

Using the DigiTrust test page "integrationExamples/gpt/digitrust_simple.html" you will get the above warning. This is due to how utils.setCookie is behaving.

Test page

"integrationExamples/gpt/digitrust_simple.html" in source tree

Expected results

No warning. Cookie written with Secure option.

Actual results

Warning of impending doom.

@bretg
Copy link
Collaborator

bretg commented Mar 31, 2020

@jaiminpanchal27 - since you were the most recent person to touch these routines, please consider making this update to the central cookie functions

https://javascript.info/cookie

// assuming we're on https:// now
// set the cookie secure (only accessible if over HTTPS)
document.cookie = "user=John; secure";

goosemanjack added a commit to InteractiveAdvertisingBureau/Prebid.js that referenced this issue Apr 1, 2020
@goosemanjack
Copy link
Contributor Author

I have submitted a PR that makes this change in the new storageManager module.
#5064
For reference:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie

@bretg
Copy link
Collaborator

bretg commented Apr 6, 2020

Closing this issue since the PR has been opened and partly reviewed.

@bretg bretg closed this as completed Apr 6, 2020
jsnellbaker pushed a commit that referenced this issue Apr 7, 2020
* #5011 Fix to set Secure attribute on cookie when SameSite=none

* Minor change to use const instead of var per review request.
rjvelicaria pushed a commit to openx/Prebid.js that referenced this issue Apr 9, 2020
…rebid#5064)

* prebid#5011 Fix to set Secure attribute on cookie when SameSite=none

* Minor change to use const instead of var per review request.
redaguermas added a commit to redaguermas/Prebid.js that referenced this issue Apr 16, 2020
* 'master' of https://github.com/prebid/Prebid.js: (102 commits)
  Marsmedia - Add vastXml and fix id response (prebid#5067)
  PubMatic adapter to support image sync (prebid#5104)
  minor consentManagement fix (prebid#5050)
  fix circle ci failing tests (prebid#5113)
  Add Relaido Adapter (prebid#5101)
  Add new bid adapter for ConnectAd (prebid#4806)
  change payload (prebid#5105)
  Utils updates (prebid#5092)
  Read OpenRTB app objects if set in config + bug fix for when ad units are reloaded (prebid#5086)
  Criteo : added first party data mapping to bidder request (prebid#4954)
  updateAdGenerationManual (prebid#5032)
  New bid adapter: Wipes (prebid#5051)
  Prebid manager analytics utm tags (prebid#4998)
  CRITEO RTUS Integration with Yieldmo Prebid (prebid#5075)
  isSafariBrowser update  (prebid#5077)
  Support min &max duration for onevideo (prebid#5079)
  increment pre version
  Prebid 3.15.0 release
  prebid#5011 Fix to set Secure attribute on cookie when SameSite=none (prebid#5064)
  Prebid adapter for windtalker (prebid#5040)
  ...
iggyfisk pushed a commit to happypancake/Prebid.js that referenced this issue Jun 22, 2020
…rebid#5064)

* prebid#5011 Fix to set Secure attribute on cookie when SameSite=none

* Minor change to use const instead of var per review request.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants