Skip to content

Add an option to set the SameSite policy in the CookieCsrfTokenRepository #12086

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
kumo829 opened this issue Oct 26, 2022 · 2 comments
Closed

Add an option to set the SameSite policy in the CookieCsrfTokenRepository #12086

kumo829 opened this issue Oct 26, 2022 · 2 comments
Assignees
@jzheaux
Labels
in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement
Milestone
6.1.0-M1

Comments

@kumo829
Copy link
Contributor

kumo829 commented Oct 26, 2022

Expected Behavior

The class org.springframework.security.web.csrf.CookieCsrfTokenRepository should allow settingset the SameSite policy as an optional parameter; with this, when sending the CSRF token in a cookie instead of a header, no warning or error should be displayed in the browser's console.

Current Behavior

With the current implementation of org.springframework.security.web.csrf.CookieCsrfTokenRepository used to send the CSRF token in a cookie instead of a header (widely used when working with, for example JWT), some browsers have started to report a warning stating that:

Cookie “XSRF-TOKEN” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

This same behavior happens for each response that includes the cookies (potentially every single request other than the login).

Currently, there is o way no set the SameSite policy in the class org.springframework.security.web.csrf.CookieCsrfTokenRepository as internally it uses a jakarta.servlet.http.Cookie which doesn't allows it either.

Context

I've started to see the previous message in the browser's console.
I don't know any workaround other than implementing my own version of org.springframework.security.web.csrf.CookieCsrfTokenRepository with the option of adding the SameSite policy, but I guess that this "problem" is affecting others the same way that is affecting me.
@kumo829 kumo829 added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Oct 26, 2022
@kumo829
Copy link
Contributor Author

kumo829 commented Oct 26, 2022
edited
Loading

As an additional comment, org.springframework.http.ResponseCookie does allow to set the SameSite policy.

@marcusdacoregio marcusdacoregio self-assigned this Oct 27, 2022
@marcusdacoregio marcusdacoregio added in: web An issue in web modules (web, webmvc) and removed status: waiting-for-triage An issue we've not yet triaged labels Oct 27, 2022
@marcusdacoregio marcusdacoregio modified the milestones: 6.0.x, 6.1.0-M1 Oct 27, 2022
@kumo829 kumo829 mentioned this issue Oct 29, 2022
Closed
@kumo829
Copy link
Contributor Author

kumo829 commented Oct 29, 2022

I created a PR with a possible fix for this issue. Please, feel free to review it to see if it is good enough. Any comment will be greatly appreciated.

kumo829 added a commit to kumo829/spring-security-fork that referenced this issue Nov 18, 2022
@kumo829
Add a customizer to CookieCsrfTokenRepository and CookieServerCsrfTok…
4075c5f 
…enRepository

- Mark setCookieHttpOnly, setCookieDomain, setCookieMaxAge and setSecure as deprecated.
- Add the method setCookieCustomizer which allows to set properties to the ResponseCookieBuilder without having to add new setter methods.

Closes spring-projectsgh-12086
@kumo829 kumo829 mentioned this issue Nov 18, 2022
Closed
@jzheaux jzheaux closed this as completed in b79ba89 Dec 5, 2022
jzheaux pushed a commit that referenced this issue Dec 5, 2022
@kumo829 @jzheaux
Perform JUnit 5 clean up tasks

Verified

This commit was signed with the committer’s verified signature.
jzheaux Josh Cummings
GPG key ID: A306A51F43B8E5A5
Verified
Learn about vigilant mode
8717b75 
- For CookieCsrfTokenRepositoryTests and
CookieServerCsrfTokenRepositoryTests

Issue gh-12086
jzheaux added a commit that referenced this issue Dec 5, 2022
@jzheaux
Format

Verified

This commit was signed with the committer’s verified signature.
jzheaux Josh Cummings
GPG key ID: A306A51F43B8E5A5
Verified
Learn about vigilant mode
8ef2fc3 
Issue gh-12086
jzheaux added a commit that referenced this issue Dec 5, 2022
@jzheaux
Remove Deprecated Usage

Verified

This commit was signed with the committer’s verified signature.
jzheaux Josh Cummings
GPG key ID: A306A51F43B8E5A5
Verified
Learn about vigilant mode
886d1ff 
Issue gh-12086
@marcusdacoregio marcusdacoregio added this to the 6.1.0-M1 milestone Dec 16, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement
Projects
None yet
Milestone
6.1.0-M1
3 participants
@kumo829 @jzheaux @marcusdacoregio