You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2020/01/15 16:04:28 UTC
[Bug 64077] New: Support SameSite, Secure and httpOnly parameter
https://bz.apache.org/bugzilla/show_bug.cgi?id=64077
Bug ID: 64077
Summary: Support SameSite, Secure and httpOnly parameter
Product: Apache httpd-2
Version: 2.4.41
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_usertrack
Assignee: bugs@httpd.apache.org
Reporter: prashant2400@gmail.com
Target Milestone: ---
Hello there, because Chrome 80 would treat all cookie which does not mention
SameSite=None as Lax Cookie, I am afraid mod_usertrack cookie cannot be used as
a third party cookie.
1) Configure a httpd virtualhost/server which has mod_usertrack available. lets
call it foobar.com . put a small image, let's say img1.png so that it could be
accessible like foobar.com/img1.png
2) access foobar.com/img1.png. Make sure in browser that appropriate tracking
cookie has been set.
3) Configure another httpd virtualhost/server, say bazbar.com, which has a page
called test.html, containing reference to foobar.com/img1.png
4) While accessing bazbar.com/test.html, Chrome would put warning saying
mod_usertrack cookie is set without SameSite attribute, and From Chrome 80, it
will be treated as Lax cookie, unless explicitly marked as SameSite=None
More info
https://www.chromestatus.com/feature/5088147346030592
https://www.chromestatus.com/feature/5633521622188032
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 64077] Support SameSite, Secure and httpOnly parameter
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=64077
Eric Covener <co...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|NEW |RESOLVED
Keywords| |FixedInTrunk
--- Comment #5 from Eric Covener <co...@gmail.com> ---
submitted with tweaks in
http://svn.apache.org/viewvc?view=revision&revision=1874389 and will propose
for backport.
Thanks again!
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 64077] Support SameSite, Secure and httpOnly parameter
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=64077
--- Comment #4 from prashant keshvani <pr...@gmail.com> ---
(In reply to Eric Covener from comment #3)
> Thanks Prashant. Do you think we need a backdoor per-request environment
> variable to avoid adding the parm for intolerant browsers? We don't need to
> calculate it, just check if some usertrack-no-samesite is present in
> subprocess_env table? You can see examples in mod_deflate of how no-gzip is
> checked.
Hello Eric !
Got your point, buy me sometime to work on this, and I will get back to you,
thanks !
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 64077] Support SameSite, Secure and httpOnly parameter
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=64077
--- Comment #3 from Eric Covener <co...@gmail.com> ---
Thanks Prashant. Do you think we need a backdoor per-request environment
variable to avoid adding the parm for intolerant browsers? We don't need to
calculate it, just check if some usertrack-no-samesite is present in
subprocess_env table? You can see examples in mod_deflate of how no-gzip is
checked.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 64077] Support SameSite, Secure and httpOnly parameter
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=64077
--- Comment #1 from prashant keshvani <pr...@gmail.com> ---
Created attachment 36965
--> https://bz.apache.org/bugzilla/attachment.cgi?id=36965&action=edit
Patch for same
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 64077] Support SameSite, Secure and httpOnly parameter
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=64077
--- Comment #2 from prashant keshvani <pr...@gmail.com> ---
Submitted patch :)
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org