Bug 1998235
| Summary: | Firefox warning: Cookie “csrf-token” will be soon rejected | ||||||
|---|---|---|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Samuel Padgett <spadgett> | ||||
| Component: | Management Console | Assignee: | Yadan Pei <yapei> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Yadan Pei <yapei> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 4.9 | CC: | aos-bugs, kdoberst, proguski | ||||
| Target Milestone: | --- | ||||||
| Target Release: | 4.10.0 | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | No Doc Update | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: |
Version: 4.9.0-0.nightly-2021-08-26-040328
Cluster ID: 37daa945-0f9e-45d1-aa4d-14f23fb522f8
Browser: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Firefox/91.0
|
|||||
| Last Closed: | 2022-03-10 16:05:54 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
*** Bug 2004894 has been marked as a duplicate of this bug. *** Wasnt able to reproduce the warning using FF 92.0 (latest). In which version have you seen the issue? Hm, I no longer see the warning, but I believe it's still an issue. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite and https://groups.google.com/g/mozilla.dev.platform/c/nx2uP0CzA9k/m/BNVPWDHsAQAJ I think what we want is `SameSite=None; Secure` IF https is enabled. For http, we can probably just leave `SameSite` off the cookie. It looks like they removed the warning. > Note: On older browser versions you might get a warning that the cookie will be blocked in future. Sorry, I misread the doc on this. I think we simply want to always set `SameSite=Lax`, and that should work for http and https. We probably want `SameSite=Lax` on the session token as well. Created attachment 1826507 [details]
csrf-token SameSite set to 'Lax'
SameSite in csrf-token is set to "Lax", see screenshot
Verified on 4.10.0-0.nightly-2021-09-26-233013
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:0056 |
I see the following warning in the Firefox developer console. We need to look at the `Set-Cookie` response header we use for this cookie. Opening as a medium severity for now, but we might need to raise severity if it will break our CSRF checks in later Firefox versions. > Cookie “csrf-token” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite