Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SameSite error logged in Firefox (rails/main) #45681

Closed
strobilomyces opened this issue Jul 28, 2022 · 1 comment · Fixed by #45688
Closed

SameSite error logged in Firefox (rails/main) #45681

strobilomyces opened this issue Jul 28, 2022 · 1 comment · Fixed by #45688
Labels
actionpack attached PR

Comments

@strobilomyces
Copy link

Steps to reproduce

  • Create a new rails app using main or on/after d29e755
  • Add a model, change default route to its index
  • Start server, open in Firefox (I'm using 103.0)

Expected behavior

No console errors

Actual behavior

The good old:

Cookie “_fuck_session” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

System configuration

Rails version: rails/main (currently at b8964e5)

Ruby version: 3.1.2p20

Fix

Rolling back to the previous commit, 646bff6, the console error is not logged.

Etc.

Setting config.action_dispatch.cookies_same_site_protection in application.rb has no effect on this.

I don't know if the changelog for d29e755 is supposed to be suggesting a workaround, but where exactly it would be set for ordinary session cookies is unclear to me. Regardless, out of the box, the error is present.

Oh, yeah, and there aren't any errors in Chrome (hence the title).

Thanks in advance :)
@jonathanhefner jonathanhefner mentioned this issue Jul 28, 2022
Merged
jonathanhefner added a commit to jonathanhefner/rails that referenced this issue Jul 28, 2022
@jonathanhefner
Fix default SameSite for session cookies
c95780d 
Follow-up to rails#45501.

The Rack base class that `CookieStore` inherits from [always sets
`:same_site`][1].  Thus, `options.key?(:same_site)` always returns true
for session cookies, preventing a default value from being set.

It would be possible to change Rack to conditionally set `:same_site`,
but, from Rack's perspective, it has no reason to not set `:same_site`,
because it treats a `nil` value the same as no value.

Therefore, this commit specifies a default `:same_site` in `CookieStore`,
which simply defers to `request.cookies_same_site_protection` as
`CookieJar` does.

Fixes rails#45681.

[1]: https://github.com/rack/rack/blob/2.2.4/lib/rack/session/abstract/id.rb#L398-L402
@Matt-Yorkley
Copy link
Contributor

Matt-Yorkley commented Mar 3, 2024
edited

Just a heads up; this issue is fixed when using ActionDispatch::Session::Cookiestore by #45688, but it's not fixed for ActionDispatch::Session::CacheStore ⚠️

When using config.session_store :cache_store, SameSite defaults to nil on the resulting session cookie and Firefox throws the warning mention in the original bug description above. This is a security regression that's present in 7.1 (including 7.1.3.2) but not in 7.0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
actionpack attached PR
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix default SameSite for session cookies jonathanhefner/rails
3 participants
@skipkayhil @Matt-Yorkley @strobilomyces