Allows samesite='none' in set_cookie #407
Conversation
marc1n
changed the title
|
Black is required to format code in WebOb. |
|
I've changed case in doc for better visual distinction between "none" and None. According to the cookie spec SameSite attribute value is case-insensitive. |
|
According to the specs if the value Do we want to handle that invariant? |
|
@marc1n would you also kindly remove the merge commit by rebasing this work on top of master? |
|
I tried but I failed. My knowledge of git is too limited. What steps should I do to remove the merge commit? |
|
@marc1n you should be able to run:
when the editor appears, exit the editor without modifying anything. Then force push the results to your Github repo:
This will overwrite the copy on Github with your fixed local copy, this PR will then automatically update. Thanks! |
|
@bertjwregeer Done, thanks for help! |
I think "yes", but I am not sure which is better: to raise exception if secure=True is not set, or automatically set it to True. |
I would raise a ValueError explaining the incompatible arguments. |
|
I would be happy to accept this PR with the suggestion that @mmerickel made. I think that is the best way moving forward to make sure that people get the behavior they are expecting. |
|
This change in Chrome caused a series of issues for us. While I support this PR, and am very eager for it to be merged/released ASAP, I want to suggest that a future version does not raise an exception after checking the SameSite arguments or their compatibility with the secure flag - as that could suddenly change again. Perhaps an environment variable could be used to toggle between warning with a deprecation/log or raising an exception. The default can absolutely be raising an exception, but there should be an option to easily avoid these checks if the cookie spec changes again or a major browser vendor decides to suddenly force a new behavior or keyword value. I love that WebOb/Pyramid are helping us "do the right thing", but I am worried about future sudden changes by browser vendors. |
…none' but secure is not True
|
There's a reason why I marked this as experimental in WebOb. I am all for security improvements, but the fact remains that Google and Chrome are steamrolling the various communities and forcing them to adapt ever changing standards. The draft that was linked above expired "November 8, 2019" and the fact that Chrome is steam-rolling ahead with the change without further consent from the internet community is absolutely terrible. |
|
I highly doubt that Google is going to relax the requirement for SameSite=None to not also be Secure, so having that check in the codebase is fine by me. I will not be adding environment checks to WebOb, I may provide a flag in the future that can be set on a module, but no environment variables. That sort of behaviour has bitten me far too many times in the past (looking at oauthlib...) in other libraries that changed core behaviour depending on environment variables that are not well documented/not well known. |
That's a great point. I prefer toggling a flag in a module too, but I've seen more people advocate for environment variables so went with that (also, probably oauthlib). I'd be happy to submit a draft PR that uses that approach. I have a bunch of whitelabel sites that communicate with a centralized domain via javascript + iframes (like facebook and twitter buttons). The Chrome change completely broke this functionality and our overall user experience over a very large chunk of traffic. This was hotfixed with a patch in the deployment routine, but I really hate this approach. |
|
I'd be open to a draft PR that adds that, although I am not sure it is worth adding the change for something that I think is very unlikely to change in the future. We should be moving towards a more HTTPS web anyway, and the Secure flag on cookies should be the norm. |
|
I'm just going to use the flag to disable checking the value matches a b
…Sent from my iPhone
On Dec 19, 2019, at 8:14 AM, Bert JW Regeer ***@***.***> wrote:
I'd be open to a draft PR that adds that, although I am not sure it is worth adding the change for something that I think is very unlikely to change in the future. We should be moving towards a more HTTPS web anyway, and the Secure flag on cookies should be the norm.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
|
Understood. I was just going to draft a PR to support disabling the check on the samesite value , in case a new one is added or they start tests again (there were some other values tested at one point).
|
|
Oh... I guess that could make sense. Sure, start a PR for that change. |
Allows samesite='none' in set_cookie
1.8.6: Experimental Features - The SameSite value now includes a new option named "None", this is a new change that was introduced in https://tools.ietf.org/html/draft-west-cookie-incrementalism-00 Please be aware that older clients are incompatible with this change: https://www.chromium.org/updates/same-site/incompatible-clients, WebOb does not enable SameSite on cookies by default, so there is no backwards incompatible change here. - Validation of SameSite values can be disabled by toggling a module flag. This is in anticipation of future changes in evolving cookie standards. The discussion in Pylons/webob#407 (which initially expanded the allowed options) notes the sudden change to browser cookie implementation details may happen again. In May 2019, Google announced a new model for privacy controls in their browsers, which affected the list of valid options for the SameSite attribute of cookies. In late 2019, the company began to roll out these changes to their browsers to force developer adoption of the new specification. See https://www.chromium.org/updates/same-site and https://blog.chromium.org/2019/10/developers-get-ready-for-new.html for more details on this change.
#406