[Koha-bugs] [Bug 33259] Optionally set SameSite attribute of cookie to Strict
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Wed May 3 01:15:11 CEST 2023
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33259
--- Comment #15 from Alex Buckley <alexbuckley at catalyst.net.nz> ---
(In reply to Lucas Gass from comment #10)
> Alex,
>
> The QA tool complains about quite a few missing filters within Cookies.set.
> I think we can add the html filter in those cases, right?
>
> Also, should none be option along with lax and strict?
Hi Lucas,
Thanks for your comments.
Yes, adding the HTML filters does fix up the QA test tool failures, so I have
added that as a followup patch.
Currently all Koha cookies have 'samesite' = 'Lax' which is why I made it the
default syspref value.
However, according to https://web.dev/samesite-cookies-explained/ there are
three possible options for the 'samesite' attribute:
- Strict
- Lax
- None - means you intentionally want the cookie sent in a third-party
context.
So I think yes we should probably add 'none' as a value along with lax and
strict.
I have amended the first patch 'Add SameSiteSessionCookie system preference' to
add the 'none' option.
Thanks,
Alex
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list