Skip to content

[Http Foundation] Fix clear cookie samesite #36173

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
nicolas-grekas merged 1 commit into from
Mar 23, 2020
Merged

[Http Foundation] Fix clear cookie samesite #36173

nicolas-grekas merged 1 commit into from
Mar 23, 2020

Conversation

@guillbdx
Copy link

@guillbdx guillbdx commented Mar 23, 2020
edited
Loading

Q A
Branch? 3.4
Bug fix? yes
New feature? no
Deprecations? no
Tickets Fix #36107
License MIT

With Chrome Update 80, Cookies are required to be secure and samesite=none for cross site requests. However they are defaulted to samesite=lax if the samesite attribute is not set. In other words: developer has to explicitely opt-in for samesite=none in the case of a cross site request.

More details: https://chromestatus.com/feature/5088147346030592

We add the samesite argument to clearCookie method to allow developer to explicitely set this value.

@nicolas-grekas nicolas-grekas added this to the 3.4 milestone Mar 23, 2020
@guillbdx guillbdx closed this Mar 23, 2020
@guillbdx guillbdx reopened this Mar 23, 2020
@nicolas-grekas
Copy link
Member

nicolas-grekas commented Mar 23, 2020

Thank you @guillbdx.

@nicolas-grekas nicolas-grekas merged commit b4ec8b9 into symfony:3.4 Mar 23, 2020
This was referenced Mar 27, 2020
Merged
Merged
@nicolas-grekas nicolas-grekas mentioned this pull request Mar 28, 2020
Merged
@wouterj wouterj mentioned this pull request Mar 28, 2020
Merged
@fabpot fabpot mentioned this pull request Mar 30, 2020
Merged
fabpot added a commit that referenced this pull request Mar 30, 2020
@fabpot
bug #36252 [Security/Http] Allow setting cookie security settings for…
b1d21af 
… delete_cookies (wouterj)

This PR was merged into the 3.4 branch.

Discussion
----------

[Security/Http] Allow setting cookie security settings for delete_cookies

| Q             | A
| ------------- | ---
| Branch?       | 3.4
| Bug fix?      | yes
| New feature?  | no
| Deprecations? | no
| Tickets       | Fix #36243 (comment)
| License       | MIT
| Doc PR        | tbd

Similar to #36173 and #36175. This is needed for Chrome 80 compatibility.

My only question is whether we should introduce these specific settings, or somehow fetch them from `framework.session`?

Commits
-------

a696d1f [Security/Http] Allow setting cookie security settings for delete_cookies
@mkurz mkurz mentioned this pull request Feb 8, 2021
Merged
@Gijsbertbas Gijsbertbas mentioned this pull request Jul 1, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nicolas-grekas nicolas-grekas nicolas-grekas approved these changes

Assignees

No one assigned

Labels

Bug Status: Reviewed

Projects

None yet

Milestone

3.4

Development

Successfully merging this pull request may close these issues.

3 participants

@guillbdx @nicolas-grekas @carsonbot