You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@couchdb.apache.org by GitBox <gi...@apache.org> on 2020/09/07 11:58:58 UTC

[GitHub] [couchdb] janl opened a new pull request #3131: feat: add same_site = none_secure option

janl opened a new pull request #3131:
URL: https://github.com/apache/couchdb/pull/3131


   c.f. https://web.dev/samesite-cookies-explained/
   
   also https://github.com/apache/couchdb/discussions/3012


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [couchdb] janl edited a comment on pull request #3131: feat: add same_site = none_secure option

Posted by GitBox <gi...@apache.org>.

janl edited a comment on pull request #3131:
URL: https://github.com/apache/couchdb/pull/3131#issuecomment-688280662


   I’d be happy to bike shed this to make it its own config variable `cookie_secure = bool` and folks who want both can set both, this was the least effort way to propose a change tho :)


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [couchdb] janl commented on pull request #3131: feat: add same_site = none_secure option

Posted by GitBox <gi...@apache.org>.

janl commented on pull request #3131:
URL: https://github.com/apache/couchdb/pull/3131#issuecomment-688351779


   This might still be useful for scenarios where folks are behind proxies where they can’t add the Secure flag to the `Set-Cookie` header dynamically, and if they don’t want to go through the particular fun of setting up TLS with CouchDB itself.
   
   But unless we have folks reporting they are in this situation, I’m happy to hold off on this.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [couchdb] janl commented on pull request #3131: feat: add same_site = none_secure option

Posted by GitBox <gi...@apache.org>.

janl commented on pull request #3131:
URL: https://github.com/apache/couchdb/pull/3131#issuecomment-688280662


   I’d be happy to biked this to make it its own config variable `cookie_secure = bool` and folks who want both can set both, this was the least effort way to propose a change tho :)


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [couchdb] rnewson commented on pull request #3131: feat: add same_site = none_secure option

Posted by GitBox <gi...@apache.org>.

rnewson commented on pull request #3131:
URL: https://github.com/apache/couchdb/pull/3131#issuecomment-688313054


   I'm -1 on this on principle, but please update the PR if I'm missing something obvious.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [couchdb] rnewson commented on pull request #3131: feat: add same_site = none_secure option

Posted by GitBox <gi...@apache.org>.

rnewson commented on pull request #3131:
URL: https://github.com/apache/couchdb/pull/3131#issuecomment-688307170


   hm, the secure flag is added automatically if couchdb is serving a TLS response. If something else is doing TLS (like haproxy) then it should also add the secure flag.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org