I have a website that supports SSO and we are using iframe to invoke the logout url's of saml apps. We started seeing issues when the user clicks on logout, IDP is logging out of all service providers but due to recent chrome's cookie-related changes, cookies are not sent in the request. As cookies are not sent, logout requests are not able to identify the session and logged-in users are still logged-in. I read that we can set SameSite attribute to None to ignore Chrome 80 changes. Is there any other way to handle this case?
Related
I have website A (a.com) which uses API (myapi.com) and that API, on login request, sets the cookie to identify the user (set-cookie: user=123; domain=myapi.com; secure; samesite=none). As expected, I see that cookie in Chrome Dev Tools > Application > Cookies > https://a.com > Name: user and this cookie is sent then in every following request to API (myapi.com) service, so up until now everything works like I think it should work.
But now comes weird part, I have second website B (b.org) (hosted on completely separate domain) which also uses API (myapi.com) service, but this time without login request, it executes only public endpoints, now when I will open B (b.org) in same browser I previously signed in to A (a.com), in Chrone Dev Tools > Application > Cookies > https://b.org I see the user cookie, this cookie is not sent to API (myapi.com), but I can see it in Dev Tools, and I wonder why is that? Isn't it a bug? Luckily that cookie is not sent to the API (myapi.com) from B (b.org) website, but it is still there. I see this in chrome and brave.
I can reproduce the issue by following these steps with a website I host:
Click a link to the website from any external site
Submit an AJAX form that returns a Set-Cookie header with the SameSite=Strict attribute
At this point I can confirm that the cookie is set by looking in chrome://settings
Reload the page
On step 3, the cookie is not sent with the request. The devtools network tab shows
The cookie was blocked because it had the "SameSite=Strict" attribute and the request was made from a different site. This includes top-level navigation requests initiated by other sites.
Is this the correct behavior for SameSite=Strict cookies? I understand why the cookie would not be sent with the initial request in step 1 (since it originated from a different site), but I expected that an explicit reload triggered by a user would be considered a same-site request.
Example of a page on https://test.com/abc/
User clicks on a link with href="https://testtarget.com/"
In rare cases, the server received https://testtarget.com as referer instead of https://test.com
It happens for multiple users, all have recent Chrome versions.
What could be the reason?
** UPDATE **
Do you know popular privacy software/add-on that would change the referrer to the request domain?
Chrome 80 and up (released on 4/Feb/2020) enforces setting the SameSite attribute (which I downloaded one day early using Chrome Beta to test my site).
It gives my site the following error:
A cookie associated with a cross-site resource at URL was set without the SameSite attribute. It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
I've looked in Application>Storage>Cookies but I have only one cookie set which looks like this:
How do I know which Cookie was blocked and which request it was blocked on?
Does this issue causes a cookie to not be set OR does it cause a cookie not to be sent in an HTTP request?
Does it treat cookies set client side and cookies set server side (using the Set-Cookie response header) differently?
Thanks
See here for more info: https://www.chromium.org/updates/same-site/test-debug
How do I know which Cookie was blocked and which request it was blocked on?
You will need to look through the Network panel in DevTools, find the request, and look at the filtered out cookies.
Does this issue causes a cookie to not be set OR does it cause a cookie not to be sent in an HTTP request?
Both are possible.
Does it treat cookies set client side and cookies set server side (using the Set-Cookie response header) differently?
No.
I have a page on domain A which loads a webworker script from domain B. The webworker is fetching some PNGs from doman A's server.
In Firefox, the request to get the PNGs contains the cookie for my site (domain A).
In Chrome, it does not include the cookie for my site, and so fails because the request must be coming from a logged in user (which requires the session cookie to be sent in the request).
Which browser is behaving correctly, and can I do anything to make Chrome send the cookie for the current domain from within a webworker?
UPDATE:
I pulled all the files from domain B and hosted them on my server at domain A, so the webworker file is now on the same domain as the site itself, but Chrome still does not send the session cookie with the requests from the web worker.
With regards to the first problem, it looks like the Firefox is incorrect, you shouldn't be able to instantiate a Worker on another domain to quote the spec:
"If the scheme component of worker URL is not "data", and the origin
of worker URL is not the same as the origin specified by the incumbent
settings object, then throw a SecurityError exception and abort these
steps."
With regards to Chrome the Workers run in a separate they work for me and without seeing more code it's hard to answer. But if you visit this demo and break before the postMessage to the worker set document.cookie='test=1' you will see that when the request goes out from the worker it is set.