Fix cookies not working cross-site (SameSite=None; Secure)
Fix cookies not working cross-site (SameSite=None; Secure)
Fix https://gitlab.com/gitlab-org/gitter/webapp/-/issues/2441
Dev notes
-
x_session:server/web/express.js#L142-148 -
x_auth:server/web/middlewares/rememberme-middleware.js#L177-182 -
webfontsLoaded:public/js/utils/font-setup.js#L19 -
gitter_staging-> https://gitlab.com/gitlab-org/gitter/next-gitter-im/-/merge_requests/3- Need to update a separate project, https://gitlab.com/gitlab-org/gitter/next-gitter-im/-/blob/8779382c9930e480abfd6b4948c1fbb9072322ae/index.html#L151-157
-
gitter_tz:public/js/components/timezone-cookie.js#L47 -
fflip: (feature toggle)- We're using a fork of the npm package. But it looks like the official npm package hasn't been updated at all.
- The cookie setting is part of the package and we would need to add some more updates to set
sameSite. - I think I'll just skip this one for now. The feature toggles are not necessary to work in Sidecar
-
fp:public/js/components/fingerprint.js#L57 - Google analytics
- Optimizely
- Optimizely is being removed in https://gitlab.com/gitlab-org/gitter/webapp/-/merge_requests/1995
-
optimizelyEndUserId -
optimizelySegments -
optimizelyBuckets
If you try to test locally in localhost dev, the cookie will be rejected because SameSite requires the Secure attribute with HTTPS. So we don't try to add SameSite in dev localhost.
This Set-Cookie was blocked because it had the "SameSite=None" attribute but did not have the "Secure" attribute, which is required in order to use "SameSite=None".
Testing strategy
- Visit https://beta.gitter.im/ and deploy this branch to beta-staging
- Clear your cookies on beta
- Turn on beta-staging, https://gitlab.com/gitlab-org/gitter/webapp/-/blob/develop/docs/developer-faq.md#toggle-between-betabeta-staging
- Sign in to beta-staging
- Open the chrome devtools -> Application -> Cookies
- Notice the
SameSitecolumn and theNonevalues
Edited by Eric Eastwood