You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2020/01/15 16:04:28 UTC

[Bug 64077] New: Support SameSite, Secure and httpOnly parameter

https://bz.apache.org/bugzilla/show_bug.cgi?id=64077

            Bug ID: 64077
           Summary: Support SameSite, Secure and httpOnly parameter
           Product: Apache httpd-2
           Version: 2.4.41
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_usertrack
          Assignee: bugs@httpd.apache.org
          Reporter: prashant2400@gmail.com
  Target Milestone: ---

Hello there, because Chrome 80 would treat all cookie which does not mention
SameSite=None as Lax Cookie, I am afraid mod_usertrack cookie cannot be used as
a third party cookie. 

1) Configure a httpd virtualhost/server which has mod_usertrack available. lets
call it foobar.com . put a small image, let's say img1.png so that it could be
accessible like foobar.com/img1.png

2) access foobar.com/img1.png. Make sure in browser that appropriate tracking
cookie has been set. 

3) Configure another httpd virtualhost/server, say bazbar.com, which has a page
called test.html, containing reference to foobar.com/img1.png 

4) While accessing bazbar.com/test.html, Chrome would put warning saying
mod_usertrack cookie is set without SameSite attribute, and From Chrome 80, it
will be treated as Lax cookie, unless explicitly marked as SameSite=None

More info
https://www.chromestatus.com/feature/5088147346030592
https://www.chromestatus.com/feature/5633521622188032

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 64077] Support SameSite, Secure and httpOnly parameter

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=64077

Eric Covener <co...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED
           Keywords|                            |FixedInTrunk

--- Comment #5 from Eric Covener <co...@gmail.com> ---
submitted with tweaks in
http://svn.apache.org/viewvc?view=revision&revision=1874389 and will propose
for backport.

Thanks again!

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 64077] Support SameSite, Secure and httpOnly parameter

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=64077

--- Comment #4 from prashant keshvani <pr...@gmail.com> ---
(In reply to Eric Covener from comment #3)
> Thanks Prashant. Do you think we need a backdoor per-request environment
> variable to avoid adding the parm for intolerant browsers?  We don't need to
> calculate it, just check if some usertrack-no-samesite is present in
> subprocess_env table? You can see examples in mod_deflate of how no-gzip is
> checked.

Hello Eric ! 
Got your point, buy me sometime to work on this, and I will get back to you, 
thanks !

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 64077] Support SameSite, Secure and httpOnly parameter

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=64077

--- Comment #3 from Eric Covener <co...@gmail.com> ---
Thanks Prashant. Do you think we need a backdoor per-request environment
variable to avoid adding the parm for intolerant browsers?  We don't need to
calculate it, just check if some usertrack-no-samesite is present in
subprocess_env table? You can see examples in mod_deflate of how no-gzip is
checked.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 64077] Support SameSite, Secure and httpOnly parameter

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=64077

--- Comment #1 from prashant keshvani <pr...@gmail.com> ---
Created attachment 36965
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=36965&action=edit
Patch for same

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 64077] Support SameSite, Secure and httpOnly parameter

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=64077

--- Comment #2 from prashant keshvani <pr...@gmail.com> ---
Submitted patch :)

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org