-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
#5011 Fix to set Secure attribute on cookie when SameSite=none #5064
#5011 Fix to set Secure attribute on cookie when SameSite=none #5064
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, minor change requested
src/storageManager.js
Outdated
@@ -64,7 +64,9 @@ export function newStorageManager({gvlid, moduleName, moduleType} = {}) { | |||
if (result && result.valid) { | |||
const domainPortion = (domain && domain !== '') ? ` ;domain=${encodeURIComponent(domain)}` : ''; | |||
const expiresPortion = (expires && expires !== '') ? ` ;expires=${expires}` : ''; | |||
document.cookie = `${key}=${encodeURIComponent(value)}${expiresPortion}; path=/${domainPortion}${sameSite ? `; SameSite=${sameSite}` : ''}`; | |||
var isNone = (sameSite != null && sameSite.toLowerCase() == 'none') | |||
var secure = (isNone) ? '; Secure' : ''; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you use const here and for isNone as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Made requested change to use const. Thanks.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, although probably should have test coverage
…rebid#5064) * prebid#5011 Fix to set Secure attribute on cookie when SameSite=none * Minor change to use const instead of var per review request.
* 'master' of https://github.com/prebid/Prebid.js: (102 commits) Marsmedia - Add vastXml and fix id response (prebid#5067) PubMatic adapter to support image sync (prebid#5104) minor consentManagement fix (prebid#5050) fix circle ci failing tests (prebid#5113) Add Relaido Adapter (prebid#5101) Add new bid adapter for ConnectAd (prebid#4806) change payload (prebid#5105) Utils updates (prebid#5092) Read OpenRTB app objects if set in config + bug fix for when ad units are reloaded (prebid#5086) Criteo : added first party data mapping to bidder request (prebid#4954) updateAdGenerationManual (prebid#5032) New bid adapter: Wipes (prebid#5051) Prebid manager analytics utm tags (prebid#4998) CRITEO RTUS Integration with Yieldmo Prebid (prebid#5075) isSafariBrowser update (prebid#5077) Support min &max duration for onevideo (prebid#5079) increment pre version Prebid 3.15.0 release prebid#5011 Fix to set Secure attribute on cookie when SameSite=none (prebid#5064) Prebid adapter for windtalker (prebid#5040) ...
…rebid#5064) * prebid#5011 Fix to set Secure attribute on cookie when SameSite=none * Minor change to use const instead of var per review request.
Type of change
Description of change
This change modifies the storageManager to detect if SameSite=None is used in the set cookie options. When the value "none" is specified for SameSite the browser also requires that the cookie be marked "Secure". This change automatically applies the "Secure" attribute when samesite=none is detected.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie
Tested against DigiTrust ID that sets cookie.
(/integrationExamples/gpt/digitrust_Simple.html) sample page.
Note: this must be run over HTTPS connection to operate correctly.
Other Information
Must be run over HTTPS connection to operate correctly. Testing this over HTTP is an invalid scenario.