-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conditionally set authentication cookie sameSite for training instances #19356
Conversation
…ining_instance feature flag
I don't think a feature flag is the best mechanism here. How about using a regular configuration option instead? I would then give it a more distinct name and let it control the three different values of the attribute. Something like However, I'm not sure if only controlling the SameSite attribute will be enough to allow embedding the Graylog UI in an iframe in the future. Once all browsers have adopted a more restrictive third-party cookie policy, this might break again. Could you please check that? See https://developers.google.com/privacy-sandbox/3pcd. https://github.com/Graylog2/graylog-plugin-enterprise/issues/6860 might also be related. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of a feature flag, we should introduce one or two new configuration settings in the HttpConfiguration
class. Maybe http_cookie_secure
and http_cookie_strict_samesite
. Both should default to true
. Depending on their value, we would set the secure flag/same site setting or not. IMO this would be a more general approach to allowing users to customize behavior while still promoting secure settings.
I'm sure that alarm bells will go off in our training labs when this starts happening. In the mean time having this as a tunable will allow us to test this much easier. Though I would hardly recommend cross-site embedding Graylog in an iframe normally, nor ever turning this flag on in production. However, sometimes edge cases exist. |
I've created the same site configuration value like this, but because we already have some logic in the CookieFactory to determine how we want to set the secure value, I've created it as an override that defaults to false. If it is switched to true, then the existing
Yep, definitely looks like this will be a future problem once this gets enforced. However, in the short term I don't see a good way around it, at least not one feasible to get in relatively soon. I think it makes sense to go this route for now as a short-term solution for the ProServe team and then take this piece into consideration when investigating/working https://github.com/Graylog2/graylog-plugin-enterprise/issues/6860 you mentioned. @thll |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me now!
…es (#19356) * Conditionally set authentication cookie sameSite value based on config values
…es (#19356) * Conditionally set authentication cookie sameSite value based on config values
…es (#19356) * Conditionally set authentication cookie sameSite value based on config values
Set this value for training instances. See slack discussion in dev for context.
/nocl
Description
Motivation and Context
How Has This Been Tested?
Screenshots (if appropriate):
Types of changes
Checklist: