Why must SameSite=none? #587
Comments
|
That's a big pain point for me as well and I would actually never deploy something to prod with this setting. I think the browser should just sent even host only cookies to the IdP in that case and since it's behind the scenes anyway, I don't see an issue with doing that. The other way around, setting |
|
@samuelgoto any additional info on this? |
We are working with our privacy and security reviewers to figure out what we can do about this. Will report back. |
@johannhof I hear that this is working as intended. Can you help us understand why |
|
I think I understand your concern and that you consider requests initiated by FedCM to meet a higher bar than "regular" cross-site fetch requests, however, let's look at the available options and their current definitions:
Of course, we can revisit and change things if they don't make sense. This was discussed in #248 and the suggestion back then was to add a We could consider broadening the definition of cc @arturjanc for thoughts |
|
@DCtheTall FYI ^ |
|
Thanks @johannhof. I think the problem is that FedCM requests feel like a new thing. Is there any precedent for requests that are sent by the browser but which the origin has no direct control over the method, content, or response (only the URI can be controlled by the RP)? I can see why you technically consider them to be cross-site requests since they wouldn't be fired without visiting an RP, but do they really fit the description of what we've always considered cross-site on the web up to this point? The term is generally used in conversations involving CSRF security concerns and privacy, and I haven't been able to come up with any scenarios where FedCM requests would introduce a security vulnerability (caveat: I am not a security expert). The endpoints are highly prescribed and the results aren't directly accessible to the RP. On the flip side, forcing all cookies to be SameSite=none for FedCM introduces real, tangible security issues. |
|
Yeah, I understand the negative security implications this would cause for IdPs in the mid term (that is, until 3rd party cookies are blocked by default without workarounds in all browsers) and I agree it's not a great outcome. I'm honestly torn on this issue. I'd love to hear from some of the tagged folks (@arturjanc @annevk @bvandersloot-mozilla) regarding their thoughts on a possible inclusion of FedCM requests in |
|
I think it would make a lot of sense to even be able to set host only cookies, even with On the other hand, if we would set host only or samesite cookies, they are restricted to the IdPs domain / host and would not leak anywhere else, even when the FedCM is not used. |
|
Chatted with @arturjanc about this offline, and the fact that all these endpoints have to be pre-registered by the IdP in a config file makes us think that carving this out as a new instance where @sebadob relaxing cross-origin restrictions feels like a fundamentally different suggestion and much less likely to happen, as that is a concern of not leaking additional data to the IdP endpoint (which could also be a risk to that endpoint itself, if there are ways for subdomains to set the cookies it is looking for). This is all very hard to reason about and it's important that we don't pull the rug on security concepts people are relying on. |
|
@johannhof don't get me wrong, I would never want this to be a global change, only for these specific endpoints where we actually need the cookies during the FedCM flow. Basically like you suggested. The |
|
I don't understand the discussion about Creating a new avenue for (Also, you never get protection from CORS. The protection is from the same-origin policy. CORS pokes holes in that.) |
Sorry the Edit: The main question was actually only, why the FedCM wants |
|
I appreciate the time being taken to seriously consider this concern. Honestly the situation makes me a bit uneasy. Just because it seems safer to relax SameSite=lax than to require SameSite=none doesn't necessarily mean that's the case. My instincts tell me this should be treated as a new thing. The SameSite=federated suggestion should work. But if people who know more about security than me (not a high bar) sign off on SameSite=lax being relaxed, I won't complain. |
|
I tend to agree that a My intuition is that the FedCM requests are something fundamentally different and it'd be appropriate/okay/safe to send I'd note that the document to which @johannhof previously referred is is currently in Working Group Last Call in the IETF's HTTP WG. Would it be worthwhile to provide feedback about this here issue and try and get a carve-out or allowance of some sort for these unique kinds of requests? Is anyone aware of similar platform originating requests and if or how they are handling similar considerations? |
|
Implementation-wise, Chrome used to send SameSite=Strict cookies as well, however there was strong opposition to that so we ended up with what we do now (SameSite=None only). |
@cbiesinger would it be equally trivial / easy for Chrome to send |
I am currently inquiring about that |
|
Even if we would set these cookies to Because there is no additional token or verification. You receive a cross-origin request, which has not been accepted or whitelisted before (because that would destroy the "sign in without upfront registration"). Then you can only validate the users login / session based on a single cookie, which can be sent from anyone and anywhere because it is not set to I mean, if I am missing something here, please correct me, but I don't see how this should work in a secure manner with having either a Edit:
|
The FedCM endpoints in particular, which I think you are talking about (?), can/should verify that the |
|
@cbiesinger mentioned this over in #212 but I think it is more relevant to this issue and bears repeating here - the last paragraph in https://fedidcg.github.io/FedCM/#browser-api (copied below because content at github.io isn't necessarily stable) actually contradicts the behavior to only send SameSite=None designated cookies.
|
Does that imply that the google account cookies are |
Ah yes, of course, totally forgot that you can't modify the |
If we agree on the Note that browsers can make this change without requiring standardization, the standard usually follows implementation. |
|
Before we can reach agreement I think someone has do the work on explaining the limited protections that exist around SameSite=Lax today and how this feature doesn't make the situation worse for existing SameSite=Lax cookies. Also, standardization as a concept very much is inclusive of discussions such as this one so I can't really agree with your statement there. |
I was more suggesting (or asking about) making a suggestion to the IETF's HTTP WG for 6265bis to make some acknowledgement that other kinds of requests might exist that fall outside the SameSite enforcement requirements stated therein. Such an acknowledgement or allowance would maybe preempt citing the soonish-to-be RFC as reasoning that FedCM requests (or similar) can only attach
AFAICT, it is specified in FedCM #587 (comment) and the behavior in chrome is divergent from that (thanks BTW @aaronpk for the pointer/note in FedCM for IndieAuth).
I am well aware that browsers can do whatever they want. However, I might humbly suggest that the interplay between standards and implementation is much more nuanced than that. Or should be anyway. |
As best I understand and can summarize things here, this would mean attaching SameSite=Lax cookies only to requests initiated via this new browser API to a few new endpoints that are required to enforce the presence of a
Yeah, standardization needs to be inclusive and more than just documenting implementation. |
|
Yeah, to be clear I wasn't trying to say "we can't do this because of some clause in 6265bis". We need to threat model how this impacts developers relying on current SameSite definitions, which happen to be specified in 6265bis. If we do this analysis and get implementer buy-in then we'll make whatever changes are needed in FedCM and the Cookies RFC. On Chrome side I haven't seen anyone strongly object to this from a security perspective and there seems to be significant upside for developers, so I think we're tentatively positive on sending |
I think this would still be useful, and that @bc-pi's summary of the impact is a start. I'm coming a little late to the party and may have missed something in the scrollback, but I'm trying to figure out the use case here and am coming at it from the angle of use-case preservation. If these cookies are expected to be sent by a request from a third-party page, how did these applications work before? IIRC, the way we resolved Fetch issues was to treat the fetches initiated by this API as using the .well-known as basically a subdocument that initiates the requests. So it may be useful to think about why we don't have Lax cookies in iframe subresources. I think the difference between this case and iframe subresources may just boil down to an opt-in vs opt-out protections. You have to opt-in to FedCM, but you have to opt-out of embedding. I'm not sure if that is the only difference or if it is sufficient to include Lax here. |
I've searched the repo and read through #212 and #248 but I'm still confused about the SameSite=none requirement.
LastLogin currently uses SameSite=lax for all cookies. Changing to none potentially opens up several vulnerabilities that need to be carefully considered. I get some protection from CORS, but there are so many edge cases that things can slip through with "simple requests" etc. I could also add a tiny sentinel cookie set with SameSite=lax and then require both cookies for all endpoints except FedCM, but again that requires me to get it right everywhere, which is dangerous.
Overall, why is this necessary in the first place? It seems like a very intentional decision, but I haven't found a clear explanation yet. As @samuelgoto mentions here it seems to me that FedCM already is secure enough to be trusted sending lax cookies.
The text was updated successfully, but these errors were encountered: