Skip to content

fix: Use SameSite=Lax on cookies

Joakim Saario requested to merge jocke-l/aurweb:sameorigin-lax into master

The use of SameSite=Strict on the aurweb cookies currently breaks navigation from third-party origins. For example navigating to aurweb from a search engine or a webmail provider leads to confusion because the chosen language and login session ID isn't sent by the browser in these cases.

The fix for this is to use SameSite=Lax, which is similar to SameSite=Strict except that cookies are sent when the user navigates cross-site. For example by server-initiated redirects or following a hyperlink. Like SameSite=Strict, in the case of JavaScript XHR or HTML resource fetches (<link>, <script>, <img>, etc), cookies are not sent. See more about SameStrict=Lax here.

I have prepared a test page for manual testing at https://pages.x0.is/aurweb-samesite-lax-test.html This page includes various ways to redirect to https://localhost:8444/. So to test, you'd just need to start up aurweb locally with disable_http_login=1.

In addition to adjusting the existing secure login test, this MR also adds a test for insecure logins (disable_http_login=0) to improve test coverage a little bit.

Merge request reports