Chrome Cookie Havoc

[p-a-s-c-a-l]

The next release of Chrome may break our external components integrated as iFrame if they are served from a different domain that CSIS:

A cookie associated with a cross-site resource at https://csis.myclimateservice.eu/ was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

During development, react applications are typically served from http://localhost:3000/
This won't work any longer when the new security feature is implemented in Chrome. Thus we have to modify the cookies created by Drupal Core.

[patrickkaleta]

I'm not sure how/if the next Chrome release (Chrome v.80 supposed to be released February 4th) will affect our CSIS instance.

I enabled some settings in my current Chrome v.79 (enabled "SameSite by default cookies" and "Cookies without SameSite must be secure" options via visiting chrome://flags ) to simulate the upcoming changes, but table and map component seemed to be still working fine.

Although, I never managed to run into a warning message about a cookie from our site (as @p-a-s-c-a-l mentioned above). I only received warnings for cookies from other sites (by visiting for example: https://csis.myclimateservice.eu/study/35/step/1528/view/maps)

@p-a-s-c-a-l where did you run into this specific warning message regarding one of our cookies?

[patrickkaleta]

Nonetheless, modifying our CSIS cookies (setting the sameSite=None attribute) could be done directly on our Apache server instead of the Drupal instace. The secure attribute should be set by Drupal 8 automatically when using https, so modifying that shouldn't be necessary.

@fgeyer16 do you have an idea how we can manage/modify the cookies on a Drupal-level?

[fgeyer16]

I did not find any useful information how to set this attribute in Drupal 8. Drupal seems to be there on the safe side. If it is possible to set this in apache then I think this is the solution for the moment. Hopefully we do not catch some security hole doing so.

[patrickkaleta]

If it is possible to set this in apache then I think this is the solution for the moment. Hopefully we do not catch some security hole doing so.

What I found online for our problem was the following, which needs to be added to the Apache config file:

<ifmodule mod_headers.c>
  # always is similar to "onerrors"
  Header always edit Set-Cookie (.*) "$1; SameSite=none"
  # success is similar to http 2xx response code
  Header onsuccess edit Set-Cookie (.*) "$1; SameSite=none"
  # remove duplications (apache sends from both tables always and onsuccess)
  ## https://www.tunetheweb.com/security/http-security-headers/secure-cookies/
  #Strip off double SameSite=strict settings as using above you can sometimes get both
  Header edit Set-Cookie ^(.*);\s?SameSite=none;?\s?(.*);\s?SameSite=none;?\s?(.*)$ "$1; $2; $3; SameSite=none"

  #Strip off double ;; settings
  Header edit Set-Cookie ^(.*);\s?;\s?(.*)$ "$1; $2"
</ifmodule>

This works for my localhost (had to enable the headers module in my Apache, not sure how it is configured on our server) and I was able to either set None, Lax or Strict for the sameSite Attribute.

Though I'm not experienced with configuring Apache servers, so I'm not sure whether or not the mentioned configuration could have any possible security risk implications.

[patrickkaleta]

Found an example, where this new Chrome behaviour will cause troubles:
https://csis.myclimateservice.eu/study/55/step/1952/view/maps

We will probably have to change the Cookie configuration on the profile.myclimateservice.eu and clarity.saver.red servers as well.

[fgeyer16]

Changed the cookie configuration on Profile.

[fgeyer16]

I did some testing.
Upgraded the test cas user to admin temporarily, so that he can see the map and logged in via cas.
Result is the same as in clarity-h2020/csis#122 (comment)
I see the login form of profile,myclimateservices.eu in the Iframe but even if I enter the credentials again. TheIframe will stay at the login form.

[p-a-s-c-a-l]

Changed the cookie configuration on Profile.

So, what's the current status of this issue? The Transport Application integrated on this page will yield the following warning in Chrome:

A cookie associated with a cross-site resource at http://clarity.saver.red/ was set without the SameSiteattribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set withSameSite=NoneandSecure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

In Firefox, it isn't showing up at all.

[p-a-s-c-a-l]

Should be solvable with CSP, see clarity-h2020/csis#134 (comment)