Fix cookies not working cross-site (SameSite=None; Secure)
Fix cookies not working cross-site (SameSite=None; Secure
)
Fix https://gitlab.com/gitlab-org/gitter/webapp/-/issues/2441
Dev notes
-
x_session
:server/web/express.js#L142-148
-
x_auth
:server/web/middlewares/rememberme-middleware.js#L177-182
-
webfontsLoaded
:public/js/utils/font-setup.js#L19
-
gitter_staging
-> https://gitlab.com/gitlab-org/gitter/next-gitter-im/-/merge_requests/3- Need to update a separate project, https://gitlab.com/gitlab-org/gitter/next-gitter-im/-/blob/8779382c9930e480abfd6b4948c1fbb9072322ae/index.html#L151-157
-
gitter_tz
:public/js/components/timezone-cookie.js#L47
-
fflip
: (feature toggle)- We're using a fork of the npm package. But it looks like the official npm package hasn't been updated at all.
- The cookie setting is part of the package and we would need to add some more updates to set
sameSite
. - I think I'll just skip this one for now. The feature toggles are not necessary to work in Sidecar
-
fp
:public/js/components/fingerprint.js#L57
- Google analytics
- Optimizely
- Optimizely is being removed in https://gitlab.com/gitlab-org/gitter/webapp/-/merge_requests/1995
-
optimizelyEndUserId
-
optimizelySegments
-
optimizelyBuckets
If you try to test locally in localhost
dev, the cookie will be rejected because SameSite
requires the Secure
attribute with HTTPS. So we don't try to add SameSite
in dev localhost.
This Set-Cookie was blocked because it had the "SameSite=None" attribute but did not have the "Secure" attribute, which is required in order to use "SameSite=None".
Testing strategy
- Visit https://beta.gitter.im/ and deploy this branch to beta-staging
- Clear your cookies on beta
- Turn on beta-staging, https://gitlab.com/gitlab-org/gitter/webapp/-/blob/develop/docs/developer-faq.md#toggle-between-betabeta-staging
- Sign in to beta-staging
- Open the chrome devtools -> Application -> Cookies
- Notice the
SameSite
column and theNone
values
Edited by Eric Eastwood