SameSite Setting for Cookies

[jakeshaffer]

• Gitea version (or commit ref): 1.6.2
• Git version: 2.20.1
• Operating system: CentOS 7
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL) https://observatory.mozilla.org/analyze/try.gitea.io, see "Anti-CSRF tokens set without using the SameSite flag"
  • No
  • Not relevant
• Log gist: N/A

Description

The SameSite setting should be enabled on the session and CSRF cookies as an added prevention against CSRF. Mozilla does a good job of explaining its purpose, but the gist is that it prevents cookies being sent in a request initiated from a foreign origin.

Screenshots

N/A

[silverwind]

Yes, this is a good idea, also see gogs/gogs#3525 (comment) for other cookie options.

[tbleiker]

What is the state on this?

[silverwind]

Not implemented to my knowledge. Browsers are moving towards enabling it by default, so the issue might solve itself eventually:

https://blog.chromium.org/2019/10/developers-get-ready-for-new.html

[alexanderadam]

Browsers are moving towards enabling it by default, so the issue might solve itself eventually:

But this is not true for other settings that can increase security, right?

For example the others you mentioned, like HttpOnly and (see comment below) Secure

[dpertin]

@alexanderadam HttpOnly option is implemented since #4706.
However, according to Mozilla Observatory, it seems to be the only one:

[alexanderadam]

Ah okay, I didn't know that. Thank you for pointing out, Dimitri. 👍

[dpertin]

While waiting for these flags to be set at the application level, I found a workaround which consists in setting cookie flags at the web server level. For instance with nginx, one could adapt the configuration sample provided by the documentation by using the proxy_cookie_path directive as such:

server {
    (...)

    location / {
        # Workaround to set cookie flags:
        proxy_cookie_path / "/; Secure; HttpOnly; SameSite=lax";

        proxy_pass http://localhost:3000;
    }
}

Which results in:

If your instance of gitea is supposed to be accessed with an unsecure channel (HTTP), remove the Secure flag. I also set SameSite to Lax which provides a reasonable level of protection. Strict mode implies higher security rules but it might have potential drawbacks since it prevents the browser from attaching any cookies to cross-site requests. I do not know gitea enough to determine if it could be a problem.

[m-ueberall]

FYI, the corresponding apache2 directive is ProxyPassReverseCookiePath – just put this below the ProxyPassReverse directive from the configuration sample:

ProxyPassReverseCookiePath / "/; HttpOnly; Secure; SameSite=lax"

Here, the HttpOnly; specifically addresses issue #9690 (lang cookie) en passant …