Skip to content

SameSite default value update #4655

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
NinoFloris opened this issue Apr 16, 2018 · 7 comments
Closed

SameSite default value update #4655

NinoFloris opened this issue Apr 16, 2018 · 7 comments
Labels
area-auth Includes: Authn, Authz, OAuth, OIDC, Bearer
Milestone
Backlog

Comments

@NinoFloris
Copy link

According to hapijs/bell#355 (which I found as it links to aspnet/Security#1231) chrome > v65 has fixed their samesite behavior to be in line with other browsers. This should allow SameSite.Strict in a few cases again.

I haven't tested this but I do think it's important to see if the default security can be increased again.
@muratg
Copy link
Contributor

muratg commented Apr 19, 2018

Let's reevaluate in 2.2.

@Eilon
Copy link
Contributor

Eilon commented Jul 17, 2018

We should take a look to see if we can remove the cookie policy setting in the templates and get that done ASAP.

We should separately look to see if all the major browsers support SameSite in an acceptable manner and consider changing the template (or library) to even use Strict.

@kanadaj
Copy link

kanadaj commented Jul 18, 2018

I am told Strict still causes problems with iPhone.

@aspnet-hello aspnet-hello transferred this issue from aspnet/Security Dec 13, 2018
@aspnet-hello aspnet-hello added this to the 3.0.0-preview2 milestone Dec 13, 2018
@aspnet-hello aspnet-hello added the area-auth Includes: Authn, Authz, OAuth, OIDC, Bearer label Dec 13, 2018
@Eilon Eilon modified the milestones: 3.0.0-preview2, Backlog Dec 13, 2018
@Eilon
Copy link
Contributor

Eilon commented Dec 13, 2018

Putting in Backlog while we wait for the state of common browsers to settle. In the meantime apps can set the policy themselves.

@Tratcher
Copy link
Member

Tratcher commented Mar 5, 2019

iOS has implemented a much different policy than other browsers and that discourages us from making further investments here until they get it sorted out.
Related:

@Tratcher
Copy link
Member

I did some testing recently with the modified samesite=lax default policy being added to browsers (#12125). Most of our components worked OK, but I did not go back and test Safari/iOS.

@blowdart
Copy link
Contributor

blowdart commented Dec 5, 2019

Closing as updates for 3.1 and 3.0 and 2.2 were released for new samesite changes google made

@blowdart blowdart closed this as completed Dec 5, 2019
@ghost ghost locked as resolved and limited conversation to collaborators Jan 4, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
area-auth Includes: Authn, Authz, OAuth, OIDC, Bearer
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
7 participants
@Eilon @blowdart @muratg @Tratcher @kanadaj @NinoFloris @aspnet-hello