I see the following warning in the Firefox developer console. We need to look at the `Set-Cookie` response header we use for this cookie. Opening as a medium severity for now, but we might need to raise severity if it will break our CSRF checks in later Firefox versions. > Cookie “csrf-token” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite
*** Bug 2004894 has been marked as a duplicate of this bug. ***
Wasnt able to reproduce the warning using FF 92.0 (latest). In which version have you seen the issue?
Hm, I no longer see the warning, but I believe it's still an issue. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite and https://groups.google.com/g/mozilla.dev.platform/c/nx2uP0CzA9k/m/BNVPWDHsAQAJ I think what we want is `SameSite=None; Secure` IF https is enabled. For http, we can probably just leave `SameSite` off the cookie. It looks like they removed the warning. > Note: On older browser versions you might get a warning that the cookie will be blocked in future.
Sorry, I misread the doc on this. I think we simply want to always set `SameSite=Lax`, and that should work for http and https. We probably want `SameSite=Lax` on the session token as well.
Created attachment 1826507 [details] csrf-token SameSite set to 'Lax' SameSite in csrf-token is set to "Lax", see screenshot Verified on 4.10.0-0.nightly-2021-09-26-233013
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:0056