[pve-devel] applied-series: [PATCH widget-toolkit/http-server/apiclient 0/4] Set SameSite=Strict on Auth Cookies

Fri Jun 23 10:14:52 CEST 2023

On 6/6/23 17:17, Thomas Lamprecht wrote:
> Am 15/03/2023 um 17:26 schrieb Max Carrara:
>> This series sets the `SameSite` attribute of authentication cookies
>> to `Strict` as per RFC 6265[1]. This prevents browsers from nagging;
>> for example, FireFox 102.8.0esr would complain in the following manner:
>>
>>> Cookie “PVEAuthCookie” does not have a proper “SameSite” attribute 
>>> value. Soon, cookies without the “SameSite” attribute or with an
>>> invalid value will be treated as “Lax”. This means that the cookie
>>> will no longer be sent in third-party contexts. If your application
>>> depends on this cookie being available in such contexts, please add
>>> the “SameSite=None“ attribute to it. To know more about the
>>> “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite
>>
>> Since setting `SameSite` to `Strict` enforces that the cookie be only
>> sent in a first-party context - so, only to the web UI and no other
>> site - it seemed like the best thing to choose. I'm not aware of the
>> cookie being used in any other contexts; if that's the case, I'll
>> gladly provide a v2.
> 
> now, with the upcomming beta, it's the best time to find that out ^^
> 
>>
>> The attribute is set wherever it makes sense; the only repo in which
>> it's not set would be 'pve-client', as that one's apparently not being
>> used at all (it wouldn't even build). Please let me know if I have
>> missed any spots.
>>
>> [1] https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-samesite-attribute
>>
>>
>> proxmox-widget-toolkit:
>>
>> Max Carrara (2):
>>   toolkit/utils: set SameSite attr of auth cookie to 'strict'
>>   toolkit/utils: fix whitespace
>>
>>  src/Toolkit.js | 513 ++++++++++++++++++++++++++-----------------------
>>  src/Utils.js   |   6 +-
>>  2 files changed, 276 insertions(+), 243 deletions(-)
>>
>>
>> pve-http-server:
>>
>> Max Carrara (1):
>>   formatter/bootstrap: set SameSite attr of auth cookie to 'strict'
>>
>>  src/PVE/APIServer/Formatter.pm           | 2 +-
>>  src/PVE/APIServer/Formatter/Bootstrap.pm | 2 +-
>>  2 files changed, 2 insertions(+), 2 deletions(-)
>>
>>
>> pve-apiclient:
>>
>> Max Carrara (1):
>>   lwp: set SameSite attr of auth cookie to 'strict'
>>
>>  PVE/APIClient/LWP.pm | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
> 
> 
> applied, thanks!

FYI, I was also about to scour through the PBS code to apply the
`SameSite` attribute to `PBSAuthCookie` as well - turns out that PBS
sets its cookie only via Ext JS, so this should work for PBS as well,
once the version of the `proxmox-widget-toolkit` dependency is bumped
(unless I've missed something). I'll keep an eye on it in regards to
PBS too.