-
Notifications
You must be signed in to change notification settings - Fork 84
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix SameSite cookies for Enterprise authentication #231
Fix SameSite cookies for Enterprise authentication #231
Conversation
I'm just having trouble with this! |
await this.mainWindow.webContents.session.cookies.set({ | ||
url: `https://${cookie.domain?.replace(/^\./, '')}${cookie.path}`, | ||
secure: cookie.secure, | ||
sameSite: 'no_restriction', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@kyushun lax
だとうまく動かないでしょうか?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lax
は top-level navigation のときのみ cookie を付与するので img タグなどといった URL の変更が行われないリクエストでは無視されます。
ユーザーのアイコンを取得するためのリクエストには private_mode_user_session
が必要ですが、デフォルトでは lax
になっており送られないので none
にして cookie を送るようにして上げる必要があります。
@@ -70,6 +70,36 @@ class _MainWindow { | |||
async initRenderer() { | |||
await this.mainWindow.loadURL(`file://${__dirname}/../../../Renderer/asset/html/index.html`); | |||
// await this.correctCookies(); | |||
|
|||
const privateModeSessionCookies = await this.mainWindow.webContents.session.cookies.get({ name: 'private_mode_user_session' }); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
以降のcookieを操作する一連の処理はgithub.com以外のドメインの場合のみ動くようにしたほうが安全になりそうです。
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
github.com に private_mode_user_session
は存在しないはずですが一応追記しておきました
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@kyushun cookieを手動で操作することになるのですが、セキュリティ上の懸念はないでしょうか?
リクエストに 遅くなりましたが回答・修正しました 🙇♂️ |
@kyushun 返信ありがとうございます!マージしますね。 |
Fix #213
Github Enterprise requires
private_mode_user_session
for private access, but can't load avatars because SameSite cookie is Lax by default.https://docs.github.com/en/github/site-policy/github-subprocessors-and-cookies