Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow disabling of X-Frame-Options and setting of SameSite session cookie attribute #3491

Closed
SPodjasek opened this issue Jan 4, 2025 · 1 comment
Closed

Allow disabling of X-Frame-Options and setting of SameSite session cookie attribute #3491

SPodjasek opened this issue Jan 4, 2025 · 1 comment

Comments

@SPodjasek
Copy link

SPodjasek commented Jan 4, 2025
edited
Loading

It would be great if we could disable SameSite=Lax and set it to None in session cookies, or disable sending X-Frame-Options with responses - although that last one can be handled by our proxy.

Expected Behavior

Allow of setting those values through config or environment variables, just like MINIO_BROWSER_CONTENT_SECURITY_POLICY.

Current Behavior

Currently Lax is hard-coded value:

console/api/utils.go

Line 173 in 656d807

SameSite: http.SameSiteLaxMode,

Possible Solution

Allow configuration of this attribute via Environment Variable or Configuration Setting, possibly as:

Environment Configuration
MINIO_BROWSER_COOKIE_SAMESITE=None mc admin config set browser cookie_samesite="None"
MINIO_BROWSER_FRAME_DENY=off mc admin config set browser frame_deny="off"

Steps to Reproduce (for bugs)

  1. Open console in embedded iframe

Context

We have a cluster management panel which opens various solution management pages in iframe. This includes Traefik dashboards, Prometheus, Grafana etc. Lately we've added MinIO console to that list but due to cookies being sent with SameSite=lax and that iframe doesn't start top-level navigation, session token is not set by browser and console is only usable in top-level tab or window.

Regression

No

Your Environment

  • MinIO version used (minio --version):

    minio version RELEASE.2024-12-18T13-15-44Z (commit-id=16f8cf1c52f0a77eeb8f7565aaf7f7df12454583)
Runtime: go1.23.4 linux/amd64
License: GNU AGPLv3 - https://www.gnu.org/licenses/agpl-3.0.html
Copyright: 2015-2024 MinIO, Inc.

  • Server setup and configuration:

    Running as tenant on Kubernetes cluster with MinIO Operator v6.0.4
@SPodjasek
Copy link
Author

After further investigation it looks like that setting SameSite=None might classify this cookie as "Third-party" and therefore still block it.
In our case one sensible solution would be to migrate all console related domain entries to be same origin as our root dashboard domain, so cookies won't be considered as cross-origin.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@SPodjasek