-
Notifications
You must be signed in to change notification settings - Fork 92
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Patch samesite for implicit #758
Conversation
lib/WP_Auth0_Nonce_Handler.php
Outdated
@@ -166,13 +179,94 @@ public function generate_unique( $bytes = 32 ) { | |||
* @return bool | |||
*/ | |||
protected function handle_cookie( $cookie_name, $cookie_value, $cookie_exp ) { | |||
$illegal_chars = ",; \t\r\n\013\014"; | |||
if ( strpbrk( $cookie_name, $illegal_chars ) != null ) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This check just clues the administrator into an issue via the plugin error log if, for some reason, they're doing something wrong with customer state/nonce values. With one of these characters in place, the validation would be silently failing so this is not a breaking change.
@@ -39,6 +39,14 @@ class WP_Auth0_Nonce_Handler { | |||
*/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The pattern for the additions to this file was pulled from the PHP SDK:
https://github.com/auth0/auth0-PHP/pull/395/files#diff-edb92fb2369f39801bab7466d95cbc1c
435951c
to
17e04df
Compare
17e04df
to
9cc45f6
Compare
Changes
Important note for sites using the implicit flow: The upcoming changes to SameSite handling in multiple browsers will require sites using the Implicit Login Flow setting to also be served on a secure channel (callback URL using "https"). This setting will be removed in the upcoming major version (please comment below if you have an important use case that this will affect).
References
Web.dev: SameSite cookies explained
Testing
Checklist