Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: proper SameSite=None in dev mode #3502

Merged
merged 1 commit into from
Apr 29, 2023
Merged

Conversation

hperl
Copy link
Contributor

@hperl hperl commented Apr 26, 2023

Related issue(s)

Checklist

  • I have read the contributing guidelines.
  • I have referenced an issue containing the design document if my change
    introduces a new feature.
  • I am following the
    contributing code guidelines.
  • I have read the security policy.
  • I confirm that this pull request does not address a security
    vulnerability. If this pull request addresses a security vulnerability, I
    confirm that I got the approval (please contact
    security@ory.sh) from the maintainers to push
    the changes.
  • I have added tests that prove my fix is effective or that my feature
    works.
  • I have added or changed the documentation.

Further Comments

@hperl hperl requested a review from aeneasr as a code owner April 26, 2023 11:48
@hperl hperl requested a review from zepatrik April 26, 2023 11:48
@hperl hperl self-assigned this Apr 26, 2023
Copy link
Member

@zepatrik zepatrik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This could be a possible explanation: 921f8c2
Do we automatically set the cookies to not secure when in dev mode? In that case we need to change that as well, so they are always secure. Then none should work.

@codecov
Copy link

codecov bot commented Apr 26, 2023

Codecov Report

Merging #3502 (c242591) into master (cf20054) will increase coverage by 0.02%.
The diff coverage is 100.00%.

❗ Current head c242591 differs from pull request most recent head 40c6ab3. Consider uploading reports for the commit 40c6ab3 to get more accurate results

@@            Coverage Diff             @@
##           master    #3502      +/-   ##
==========================================
+ Coverage   76.87%   76.89%   +0.02%     
==========================================
  Files         124      124              
  Lines        9175     9102      -73     
==========================================
- Hits         7053     6999      -54     
+ Misses       1673     1660      -13     
+ Partials      449      443       -6     
Impacted Files Coverage Δ
driver/config/provider.go 82.75% <100.00%> (+0.76%) ⬆️

... and 2 files with indirect coverage changes

zepatrik
zepatrik previously approved these changes Apr 26, 2023
Copy link
Member

@zepatrik zepatrik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As discussed, we cannot assume an instance in dev mode is not using TLS. It is also not possible to tell in the service itself because the TLS connection might be terminated in a side-car or on the ingress level.

@hperl hperl force-pushed the hperl/fix-dev-samesite-none branch from 696d962 to 40c6ab3 Compare April 27, 2023 07:49
@hperl hperl requested review from zepatrik and aeneasr April 27, 2023 07:53
@aeneasr aeneasr merged commit 5751fae into master Apr 29, 2023
@aeneasr aeneasr deleted the hperl/fix-dev-samesite-none branch April 29, 2023 15:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants